* Update T1003.002.yaml for PowerDump
Added PowerDump to parse SAM and SYSTEM for usernames and Hash
* Add fixes
Updated with fixes.
Its not erroring with Multiple cleanup
Removed preReqs, don't need them
Removed SAM and SYSTEM file dep... PowerDump can just Dump Registry for Hashes and Usernames
* Getting permanent links to file
Added permanent link to PowerDump in BC-SECURITY Github
* updated description
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Rough implementation of T1070.001 (clear Windows event logs)
* Enhanced PS log clearing to cover all eventlogs
Co-authored-by: Jil <jil@localhost>
Co-authored-by: Michael Haag <mike@redcanary.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create sys_info.vbs
This file is to be used with a new atomic I am writing for T1059.005.
* Create sys_info.vbs
Moved vbscript to /src directory.
* Create T1059.005.yaml
Added yaml file for T1059.005
* Delete sys_info.vbs
* Update T1059.005.yaml
* Update T1059.005.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create T1078.001 and yaml
Creating Folder for sub technique and yaml for .001
* Update T1078.001.yaml
* Update T1078.001.yaml
* Update T1078.001.yaml
Added Remote Desktop Users group and the capability to have multiple RDP connections to Desktop for Guest user
* edit display name
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Create T1078.001 and yaml
Creating Folder for sub technique and yaml for .001
* Update T1078.001.yaml
* Update T1078.001.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1040.yaml
Uses the built-in Windows packet capture
* Update T1040
Adding temp folder and del command to delete that trace.etl and added sleep command before and after (it does a little bit of processing when stopped) with PowerShell.
* Update T1040.yaml
Changed to use variables where possible (couldn't get %temp% to work in the command) Use a long time out (50 seconds) as it took awhile for collections to complete . Added more description to explain what artifacts are left after execution. Thanks Carrie with all your time/input spent on this to make it great.
* Update T1040.yaml
added %LOCALAPPDATA%
* Update T1040.yaml
Switched to %temp%
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Fix: only_platform circular argument reference
Remove a circular argument reference of only_platform, which was causing scripts in ./bin/ to error out when using Ruby version 2.7.
* Add T1053.001 Test 1
Co-authored-by: Billy Wilson <billy_wilson@byu.edu>
* Fix T1551 to T1070
Found that we had T1070 labeled incorrectly as T1551. MITRE pushed a fix for this per https://attack.mitre.org/resources/updates/updates-july-2020/
```
Indicator Removal on Host Was incorrectly re-IDd to T1551, restored to T1070 and its sub-techniques were changed to T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, and T1070.006
```
* Generate MD fix
Attempting to get the MD to generate
* Update enterprise-attack.json
* Generate docs from job=validate_atomics_generate_docs branch=T1070-indicator-removal-fix
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Jesse Moore