* New test to allow program through firewall
This test will attempt to allow an executable through the system firewall located in the Users directory
* Create AtomicTestPlaceholder
* AtomicTest executable added for test
* Delete AtomicTestPlaceholder
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Changed Admin Account Manipulate to be able to use Cleanup, as suggested in PR #1201
* Changed Admin Account Manipulate to be able to use Cleanup, as suggested in PR #1201
Co-authored-by: Didier Cambefort <didier.cambefort@scrt.ch>
* T1110.002 Hashcat
T1110.002 Hashcat
* Update to T1110.002.yaml
Since Hashcat downloads as 7zip I had to do some hacky things to get that to run on the system via $env:temp. I have tested via start-AtomicGUI, the check-prereqs, and GetReqs, Invoke-AtomicTest T1110.002 and the -cleanup command. this should be ready for anyone.
* Added Elevation is required for command
Elevation is Required for the attack command
* updates from Carrie
see comments in PR for details
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Before: NPPSPY is installed into atomics src directories, test
looks for it in the local temp directory resulting in an error.
After: Test is changed to look for NPPSPY directly in atomics src
directory
* Change test to install prereq to local temp directory and work from
there.
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1562.004.yaml
added new atomic test to open a port through Windows Firewall to any profile
* Update T1562.004.yaml
added some fixes to command and cleanup
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Implemented Domain account manipulation
* remove manually specified GUID
removing GUID so it can be assigned at merge time.
Co-authored-by: Didier Cambefort <didier.cambefort@scrt.ch>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1003.002.yaml for PowerDump
Added PowerDump to parse SAM and SYSTEM for usernames and Hash
* Add fixes
Updated with fixes.
Its not erroring with Multiple cleanup
Removed preReqs, don't need them
Removed SAM and SYSTEM file dep... PowerDump can just Dump Registry for Hashes and Usernames
* Getting permanent links to file
Added permanent link to PowerDump in BC-SECURITY Github
* updated description
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Rough implementation of T1070.001 (clear Windows event logs)
* Enhanced PS log clearing to cover all eventlogs
Co-authored-by: Jil <jil@localhost>
Co-authored-by: Michael Haag <mike@redcanary.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create sys_info.vbs
This file is to be used with a new atomic I am writing for T1059.005.
* Create sys_info.vbs
Moved vbscript to /src directory.
* Create T1059.005.yaml
Added yaml file for T1059.005
* Delete sys_info.vbs
* Update T1059.005.yaml
* Update T1059.005.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Tsora-Pop