security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5,354 Commits 47 Branches 0 Tags
f321b44948eebf8bee1fcf88910dcbe13c87defe
Commit Graph

5354 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mohana Shankar D f321b44948 New atomic Test - Driver Enumeration using driverquery (#2473) 
* New atomic Test - Driver Enumeration using driverquery

* Update T1082.yaml

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2023-06-26 16:17:00 -06:00
Atomic Red Team doc generator e3aacfbaca Generated docs from job=generate-docs branch=master [ci skip] 2023-06-26 21:55:02 +00:00
Atomic Red Team GUID generator 8f8d90d9b1 Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-06-26 21:54:44 +00:00
Israel Anitube 5a58c4aafa Create T1562.009.yaml with "Impair Defenses - Safe Boot Mode" (#2472) 
* Create T1562.009.yaml

Details:
Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot. This is achieved by modifying Boot Configuration Data (BCD) stores, which are files that manage boot application settings. Applying the following command which requires elevated privileges, causes the sytsem to boot in safe mode at next startup or restart.

"bcdedit /set safeboot network"

Testing
Testing was successfully carried out on Win 10 x64.
Cleanup commands "bcdedit /deletevalue {current} safeboot" was used to restore boot to normal

Associated Issues
None.

* Update T1562.009.yaml

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2023-06-26 15:53:53 -06:00
Atomic Red Team doc generator 0bf9a391c5 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-26 20:40:02 +00:00
Atomic Red Team GUID generator cfaea8c1fb Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-06-26 20:39:45 +00:00
jonod8698 a99fe1ba3d Add T1539 macOS Chrome Remote Debugging (#2469) 
* Add T1539 macOS Chrome Remote Debugging

* Split into 2 prereqs & specify /tmp

---------

Co-authored-by: Jonathan Duan <jduan@neptsec.com>
Co-authored-by: Hare Sudhan <code@0x6c.dev>
 2023-06-26 16:39:06 -04:00
Atomic Red Team doc generator 26398fb9c6 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-26 20:31:24 +00:00
Atomic Red Team GUID generator 47894bd586 Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-06-26 20:31:07 +00:00
Kevin Stapleton 604f016a2c Added Linux Tests to T1069.002, T1087.002, T1136.002 (#2468) 
* adding linux client test to T1069.002 AD tests

* changed prereq for packages

* temp removing prereq

* adding first prereq

* prereq fails

* trying elevated permissions

* alright, no prereq

* Revert "temp removing prereq"

This reverts commit 3bc8ef5fb22dc09fa1ca2ad5282cbdbaf55280de.

* should work now

* removing prereq entirely

* correct dependency_executor

* adding prereq check for all packages

* adding input arg for password

* changing command to autoinclude password

* back to original command, starting work on 1078

* back to original command, starting work on 1078

* putting echo on command for runner to see arguments supplied

* continuing work on 1078

* first attempt at T1078.002

* removed extraneous code

* temp remove cleanup

* removed flag on echo

* updated first comand

* updating input variable ref

* removing flag again

* updating ou

* attempting to change ou to cn

* new uid

* explictely defining dc

* more attempts

* changed uid

* removed first uid

* trying without num

* changing cn back to ou

* change case

* fixed dc

* removing second dc ref

* following IBM guide

* removed extraneous space

* space between userpassword

* reintroducing dc

* added echo

* trying something new

* updated echo

* adding back admin user input

* attempting default

* trying add to previous group

* revert back to just admin user

* missed #

* adding back -x

* making ou and cn match

* attempting to match search style

* removing space

* improved formatting

* simplified

* replacing authentication

* -D object

* reintroduced admin user

* fixed top level domain

* return to old

* holding breath

* setting user to just person type

* removing uid from front

* changing dc

* trying to update cn

* update cn

* changing to object form... again

* chat gpt wrote this

* added cleanup

* updating command

* removed space

* added space

* revert from object

* looking into issues with cleanup command being unable to find user (yet it already exists)

* changed ldapdelete to ldapmodify

* updating temporary user name

* fixing typo in cleanup command

* creating new yaml file for T1136, similar to T1078. Future plans to modify T1078.002 to either run a process or elevate a user

* first attempt at creating domain admin

* changing CN to Domain Admins

* improved formatting (getting error 32)

* changing ldif file echo

* ldapadd to ldapmodify

* adding domain admins domain if it doesn't exist

* redo formatting

* removing create domain admin group

* trying ldapadd again

* updating prereq commands, removing admin requirement from ldapsearchs

* adding linux client test to T1069.002 AD tests

* changed prereq for packages

* temp removing prereq

* adding first prereq

* prereq fails

* trying elevated permissions

* alright, no prereq

* Revert "temp removing prereq"

This reverts commit 3bc8ef5fb22dc09fa1ca2ad5282cbdbaf55280de.

* should work now

* removing prereq entirely

* correct dependency_executor

* adding prereq check for all packages

* adding input arg for password

* changing command to autoinclude password

* back to original command, starting work on 1078

* back to original command, starting work on 1078

* putting echo on command for runner to see arguments supplied

* continuing work on 1078

* first attempt at T1078.002

* removed extraneous code

* temp remove cleanup

* removed flag on echo

* updated first comand

* updating input variable ref

* removing flag again

* updating ou

* attempting to change ou to cn

* new uid

* explictely defining dc

* more attempts

* changed uid

* removed first uid

* trying without num

* changing cn back to ou

* change case

* fixed dc

* removing second dc ref

* following IBM guide

* removed extraneous space

* space between userpassword

* reintroducing dc

* added echo

* trying something new

* updated echo

* adding back admin user input

* attempting default

* trying add to previous group

* revert back to just admin user

* missed #

* adding back -x

* making ou and cn match

* attempting to match search style

* removing space

* improved formatting

* simplified

* replacing authentication

* -D object

* reintroduced admin user

* fixed top level domain

* return to old

* holding breath

* setting user to just person type

* removing uid from front

* changing dc

* trying to update cn

* update cn

* changing to object form... again

* chat gpt wrote this

* added cleanup

* updating command

* removed space

* added space

* revert from object

* looking into issues with cleanup command being unable to find user (yet it already exists)

* changed ldapdelete to ldapmodify

* updating temporary user name

* fixing typo in cleanup command

* creating new yaml file for T1136, similar to T1078. Future plans to modify T1078.002 to either run a process or elevate a user

* first attempt at creating domain admin

* changing CN to Domain Admins

* improved formatting (getting error 32)

* changing ldif file echo

* ldapadd to ldapmodify

* adding domain admins domain if it doesn't exist

* redo formatting

* removing create domain admin group

* trying ldapadd again

* updating prereq commands, removing admin requirement from ldapsearchs

* small changes to search parameters

* changed Domains search to search for Domain Users

* added objectClass=group flag

* separating flag from string

* removing T1078, to be done in future

* added {cleartext} to admin password

* restoring deleted file. My antivirus really hates this file...

* update for spec

* update to spec

* adding name to atomic test

* moved from deprecated -h -p flags to -H flag

* fix cleanup commands with same flag changes

* add ldap://

* removing unused input variable, domain controller

* final commit, all tests passed with -H, updating the desc of T1136.002/4

---------

Co-authored-by: Hare Sudhan <code@0x6c.dev>
 2023-06-26 16:30:28 -04:00
Atomic Red Team doc generator 5360c9d9ff Generated docs from job=generate-docs branch=master [ci skip] 2023-06-23 23:10:43 +00:00
hRun df3e84d861 Correct T1547.004 Winlogon Notification test (#2470) 
* Corrected T1547.004 Winlogon Notification test

* Added hint on deprecation

---------

Co-authored-by: Hare Sudhan <code@0x6c.dev>
 2023-06-23 17:09:45 -06:00
Atomic Red Team doc generator 3d463e9be0 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-23 22:43:43 +00:00
Atomic Red Team GUID generator a5741ecb8f Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-06-23 22:43:25 +00:00
Bhavin Patel ec3898e65b Merge pull request #2457 from redcanaryco/gcp-atomic-additions 
Add GCP Atomics
 2023-06-23 15:42:08 -07:00
Hare Sudhan f10b65a2ea add terraform files for T1098-17 2023-06-22 21:21:40 -04:00
Hare Sudhan 21129d8e95 Merge branch 'master' into gcp-atomic-additions 2023-06-22 20:38:13 -04:00
Hare Sudhan 098518241a fix T1078.004 2023-06-22 20:37:31 -04:00
Hare Sudhan 63a994cf86 fix terraform; move gcloud login to deps 2023-06-22 20:34:28 -04:00
Atomic Red Team doc generator 0f229c0e42 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-16 03:55:19 +00:00
Atomic Red Team GUID generator 6ce797c851 Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-06-16 03:55:01 +00:00
amalone-scwx 98bcc73b89 Add T1036.004 linux test rename process comm using prctl PR_SET_NAME (#2458) 
* Add T1036.004 linux test rename process comm using prctl PR_SET_NAME

* fixing test to work with invoke-atomic

---------

Co-authored-by: Hare Sudhan <code@0x6c.dev>
 2023-06-15 23:54:21 -04:00
Atomic Red Team doc generator 2b77bcb303 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-15 22:33:14 +00:00
Carrie Roberts a8fe2d2d77 mv adfind to bin (#2465) 
* move adfind to external resource

* mv adfind to bin
 2023-06-15 16:32:13 -06:00
Atomic Red Team doc generator 282a250cc9 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-15 21:42:03 +00:00
Carrie Roberts 32a4415e43 move adfind to external resource (#2464) 2023-06-15 15:40:50 -06:00
Atomic Red Team doc generator 868f5477f6 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-15 19:53:19 +00:00
Carrie Roberts 586818a01f use ExternalPayloads folder (#2462) 
* use ExternalPayloads folder

* psexec as external dependency

* psexec as external dependency
 2023-06-15 13:52:16 -06:00
Atomic Red Team doc generator 7a430d5794 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-15 19:00:19 +00:00
Michael Haag 186b743391 Update T1553.005.yaml (#2463) 
ISO would mount but was not able to run the .exe. I fixed it. Now it works!
 2023-06-15 12:59:17 -06:00
Atomic Red Team doc generator 84215139ee Generated docs from job=generate-docs branch=master [ci skip] 2023-06-15 16:29:11 +00:00
Carrie Roberts db1a2cf461 removing: Disable Defender with Defender Control (#2461) 2023-06-15 10:28:12 -06:00
Atomic Red Team doc generator cef46e4479 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-15 16:17:12 +00:00
Carrie Roberts 068d32b1ea use ExternalPayloads directory (#2460) 
* use ExternalPayloads directory

* use ExternalPayloads directory

* use ExternalPayloads directory
 2023-06-15 10:16:12 -06:00
Atomic Red Team doc generator 199dd7f85d Generated docs from job=generate-docs branch=master [ci skip] 2023-06-14 20:25:05 +00:00
Carrie Roberts 3e4e817aa4 Add ExternalPayloads folder for downloaded prerequisites (#2459) 
* use ExternalPayloads folder for prereqs

* git ignore ExternalPayloads folder

* move External folder up one directory
 2023-06-14 14:24:03 -06:00
Atomic Red Team doc generator 085b3ec2c9 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-14 00:21:58 +00:00
Atomic Red Team GUID generator 855857d46b Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-06-14 00:21:36 +00:00
Bhavin Patel a6889a0c82 Merge pull request #2396 from D4rkCiph3r/D4rkCiph3r-T1486 
Added 3 new tests - macOS T1486
 2023-06-13 17:20:34 -07:00
Bhavin Patel 6d08edbdf0 Update T1486.yaml 2023-06-13 17:19:05 -07:00
Bhavin Patel f7f5761ccf Update T1486.yaml 
CI fixes
 2023-06-13 17:17:54 -07:00
Bhavin Patel 3738aed0eb Merge branch 'master' into D4rkCiph3r-T1486 2023-06-13 17:12:10 -07:00
Bhavin Patel eaba80503f Update T1486.yaml 2023-06-13 17:10:41 -07:00
Bhavin Patel 38687e45ad Update T1486.yaml 
updated prereqs for two tests, remove ccrypt test since it does not work with art and testing
 2023-06-13 17:10:04 -07:00
Hare Sudhan 336f8976d7 Merge branch 'master' into gcp-atomic-additions 2023-06-11 23:48:43 -04:00
Atomic Red Team doc generator d8c164d3e6 Generated docs from job=generate-docs branch=master [ci skip] 2023-06-10 05:19:16 +00:00
Hare Sudhan 65c5514899 Merge pull request #2452 from amalone-scwx/am_args 
parameterize T1070.002 tests
 2023-06-10 01:18:17 -04:00
Hare Sudhan d22b91cde8 Merge branch 'master' into am_args 2023-06-10 01:15:53 -04:00
Atomic Red Team doc generator 49e9c5e04e Generated docs from job=generate-docs branch=master [ci skip] 2023-06-09 22:36:42 +00:00
Bhavin Patel d025cb21db Merge pull request #2451 from cnotin/pr-remove-pfx-export 
No need to export the PFX to get the public certificate, so removed it
 2023-06-09 15:35:48 -07:00