security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,522 Commits 47 Branches 0 Tags
f2ceee6e925fc5566dcbe709149787151d1d33d9
Commit Graph

4522 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hare Sudhan f2ceee6e92 Merge branch 'master' into tf 2022-10-24 12:28:07 -04:00
Atomic Red Team doc generator e4844d7576 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-24 16:27:34 +00:00
Atomic Red Team GUID generator 890607b6fe Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-24 16:27:28 +00:00
Thomas de Brelaz f710d57e40 T1547.004 new hklm tests (#2196) 
* Created 3 copies of the original HKCU tests but on HKLM

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

* Removed Notify tests, no longer supported in win10 and the tests were broken due to missing dll prerequisite

* re-added notify test

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-24 10:27:01 -06:00
Atomic Red Team doc generator 4787dc43e9 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-24 16:19:18 +00:00
Atomic Red Team GUID generator b1048a588d Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-24 16:19:11 +00:00
tccontre 638ba68ee6 Tccontre patch 1 (#2200) 
* Update T1124.yaml

* Update T1033.yaml

* Update T1033.yaml

* Update T1033.yaml

* Update T1033.yaml

* Update T1033.yaml

* Update T1016.yaml

* Update T1016.yaml

* update test name

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-24 10:18:40 -06:00
Hare Sudhan 9b4c575d76 terraform variable changes 2022-10-24 12:15:48 -04:00
Hare Sudhan 464fee8ba4 Merge branch 'master' into tf 2022-10-23 17:09:50 -04:00
Atomic Red Team doc generator b9aebd1c0e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-21 02:18:13 +00:00
BlueTeamOps f3a038ca78 Remove trailing \ from web_shells default path (#2199) 
xcopy doesn't work when there is a trailing \ in a path. 
default: PathToAtomicsFolder\T1505.003\src\ caused the "Invalid path" error
Removing the trailing \ fixes the issue
 2022-10-20 20:17:29 -06:00
Atomic Red Team doc generator 3927202872 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-20 21:47:35 +00:00
Atomic Red Team GUID generator 80be4123cd Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-20 21:47:29 +00:00
Michael Haag 0d4622f4e8 Update T1564.yaml (#2198) 2022-10-20 15:46:58 -06:00
Atomic Red Team doc generator 27f8de3193 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-19 16:13:48 +00:00
Carrie Roberts f10bb08817 fix dir creation (#2194) 
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
 2022-10-19 10:13:16 -06:00
Atomic Red Team doc generator 99f4231d0b Generated docs from job=generate-docs branch=master [ci skip] 2022-10-19 01:43:05 +00:00
Jose Enrique Hernandez dd82e78da7 Merge pull request #2099 from chronolator/T1201_Improved 
T1201_Improved
 2022-10-18 21:42:37 -04:00
Jose Enrique Hernandez 9c3f3e6b9e Merge branch 'master' into T1201_Improved 2022-10-18 21:41:30 -04:00
Atomic Red Team doc generator 69028837c2 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-19 01:28:38 +00:00
b0bbey 7b1e347a4d Update T1014.md because of typo at Test number 3 (yaml corrected) (#2189) 
ld.so.preload instead of ls.so.preload

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-18 19:28:00 -06:00
Atomic Red Team doc generator 2be544c1d5 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-19 01:26:46 +00:00
harshalcoep a865221e1a Minor edits to test number 2 (#2190) 
Separated reference URLs in description section with commas ','

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-18 19:26:16 -06:00
Atomic Red Team doc generator ff1a5cf07b Generated docs from job=generate-docs branch=master [ci skip] 2022-10-19 01:25:12 +00:00
tlor89 0f6a242985 T1106_update (#2192) 
* T1106_update

* typo fix

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-18 19:24:39 -06:00
Atomic Red Team doc generator 3802eaffdf Generated docs from job=generate-docs branch=master [ci skip] 2022-10-19 01:22:59 +00:00
tlor89 e3cb7dbc2b T1105_update (#2191) 
* T1105_update

* Update the syntax issue

* typo fix

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-18 19:22:14 -06:00
Atomic Red Team doc generator 825c959f98 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-18 16:52:04 +00:00
jmac774 da55a259c9 Fix T1098.004 (#2193) 
Fix for systems with multiple authorized keys. Without quotes, the echo command separates new lines with space instead of new line character which breaks authorized_keys file in case there are multiple keys in the file.
 2022-10-18 10:51:15 -06:00
Jose Enrique Hernandez 5335976629 Merge branch 'master' into tf 2022-10-17 14:20:30 -04:00
Atomic Red Team doc generator 4abb614556 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-17 16:47:12 +00:00
Atomic Red Team GUID generator 0d7ea66552 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-17 16:47:06 +00:00
Paul Michaud b9e306b765 Merge pull request #2188 from harshalcoep/master 
Added a new atomic test
 2022-10-17 16:46:40 +00:00
harshalcoep 3b3642544f Merge branch 'master' into master 2022-10-17 21:39:30 +05:30
Atomic Red Team doc generator dd2090cd6d Generated docs from job=generate-docs branch=master [ci skip] 2022-10-17 15:11:59 +00:00
tlor89 8e594d58d5 Update T1090.003.yaml (#2187) 
* Update T1090.003.yaml

Add prereq for test 1 on batch file requirements

* Update T1090.003.yaml

fixed the spacing

* Update T1090.003.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-17 09:11:19 -06:00
harshalcoep 17b0ff7915 Added a new atomic test 
We have added a new atomic test with guid ffcbfaab-c9ff-470b-928c-f086b326089b that sets two registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText to display a ransom message. While executing this atomic test, the value for these registries can be configured using the switch -PromptForInputArgs. This technique has been used by many ransomwares in the past including SynAck, Grief, Maze, Pysa, Spook, DopplePaymer, Reedemer and Kangaroo.  After encrypting files, ransomwares modify the Windows LegalNoticeCaption and LegalNoticeText registry keys to display a ransom message to victim at logon.
 2022-10-17 20:28:17 +05:30
Hare Sudhan 5361fc6e6b fixing validation error 2022-10-14 10:35:29 -04:00
Hare Sudhan d4de9ad03a minor changes to terraform generation 2022-10-14 10:31:43 -04:00
Jose Enrique Hernandez e774b3cdc9 Merge branch 'master' into T1201_Improved 2022-10-14 10:31:12 -04:00
Hare Sudhan 8d9e66adf9 Update readme 2022-10-13 23:50:01 -04:00
Hare Sudhan 6841c430cb poc added 2022-10-13 23:42:40 -04:00
Atomic Red Team doc generator 84cd4177fe Generated docs from job=generate-docs branch=master [ci skip] 2022-10-13 17:48:19 +00:00
harshalcoep a7bf035f55 Modify description of "Disable UAC admin consent prompt" (#2184) 
Changing the description of atomic test 251c5936-569f-42f4-9ac2-87a173b9e9b8 from "modifying the registry key" to "setting the registry key".  In this context, the word "setting" sounds more appropriate than "modifying".
 2022-10-13 11:47:48 -06:00
Atomic Red Team doc generator 112ee4dd2e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-13 14:20:53 +00:00
Atomic Red Team GUID generator 540ae0d64c Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-13 14:20:47 +00:00
harshalcoep c566f8d83f New Atomic-Test (#2183) 
* New Atomic-Test

Proposing a new atomic test "Disable UAC admin consent prompt". The existing atomic test with guid 9e8af564-53ec-407e-aaa8-3cb20c3af7f9) disables UAC by setting "EnableLUA" registry value to 0. UAC can also be disabled by setting "ConsentPromptBehaviorAdmin" registry value to 0 (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4). This registry value has been altered by several malwares in the past (https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/, https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit, https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat). Hence, proposing a new atomic test with guid 251c5936-569f-42f4-9ac2-87a173b9e9b8 that bypasses UAC by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0.

* add blog links

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-13 08:20:18 -06:00
Atomic Red Team doc generator eedbea628e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-12 19:54:00 +00:00
Atomic Red Team GUID generator b08b38f654 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-12 19:53:52 +00:00
CDub1016 3bff37d737 T1204.002 Added Test to Emulate Mirror Blast TA505 (#2180) 
* Update T1204.002.yaml

Added Mirror Blast technique.

* Update T1204.002.yaml

Added cleanup command to Mirror Blast Test.

* Add files via upload

Added Excel sheet with macro to download 7zip.

* Add files via upload

Information about macro in Mirror Blast.

* use PathToAtomicsFolder

* add link to blog

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-12 13:53:10 -06:00