f4eac66bb7
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-23 15:20:41 +00:00
096ba193b4
Automated test for OSX Local Library Startup Items + fixes ( #743 )
...
* Update T1165.yaml
re-wrote draft atomic:
-automated test 1
-corrected test 2 (had a non-functional default path)
-added elevation requirement to both (would be needed)
-re-wrote titles and descriptions to be more specific and clear
-added new path (/src) for the emond plist for test 2
* correcting syntax errors including cleanup command
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2019-12-23 08:20:15 -07:00
765c34ead6
rm .plist file (it is now in /src directory) ( #744 )
...
* rm .plist file (it is now in /src directory)
* Create T1165_emond.plist
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2019-12-23 08:16:18 -07:00
53a8393c74
copied script to /src ( #741 )
2019-12-21 19:44:19 -07:00
a8b96af84b
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-22 02:43:44 +00:00
0c84aca2e4
Rewrote "Trap" test to not pull down remote files ( #740 )
...
* added /src path + avoided using curl
-supported platforms included "linux" so no need to list out centos and ubuntu specifically
-test previously used curl to download script; which adds other elements to the test (requires proxy, remote, curl, etc.)
-updated to use $PathToAtomicsFolder variable instead
-fixed bash syntax needed to use new path
* corrected INT command (now SIGINt), from original
* rm file, now is in /src directory
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2019-12-21 19:43:22 -07:00
1698e5c347
duplicate file is not needed, recent invoke-atomic changes removed the need for this ( #739 )
2019-12-21 19:39:08 -07:00
c7d95ebc23
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-22 00:19:55 +00:00
9df75a4013
added path to src directory ( #738 )
2019-12-21 17:16:57 -07:00
20fbdb7173
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-20 22:04:10 +00:00
38a5811f31
using updated version of mimikatz that works on latest win10 versions ( #736 )
2019-12-20 15:03:50 -07:00
5e90af5009
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-19 03:19:21 +00:00
66b7136553
Test 4 change ( #735 )
...
Changing test 4 default IP to 127.0.0.1 instead of CloudFlare dns 1.1.1.1
2019-12-18 20:18:58 -07:00
9817fc3b59
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-19 03:16:52 +00:00
38c7ac2fe1
T1002 test 2 correction ( #734 )
...
* T1074 .bat fix
Changing "sc query" to "sc.exe query" so it runs with PowerShell. "sc" is an alias in powershell for Set-Content.
* T1002 Correction
added space between input_path and wildcard extension
2019-12-18 20:16:30 -07:00
b3ce1fb005
T1074 .bat fix ( #733 )
...
Changing "sc query" to "sc.exe query" so it runs with PowerShell. "sc" is an alias in powershell for Set-Content.
2019-12-18 09:32:36 -07:00
84b724b29d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-18 06:45:00 +00:00
cf2879466d
T1114 Update ( #730 )
...
* Removed text "comments" that were attempting to run as commands.
Simplified command block script execution. Added input arguments for
save path for script output. added cleanup commands.
* Replaced hard coded command with $PathToAtomicsFolder variable.
2019-12-17 23:44:35 -07:00
3fdbd91fc0
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-18 06:11:04 +00:00
40845ae5dd
Fix issue #499 for T1007 ( #729 )
2019-12-17 23:10:44 -07:00
ab4c68b970
Execute powershell with "-Command -" arguments. Tell powershell to read scripts from stdin. ( #727 )
2019-12-17 23:09:02 -07:00
f51c26ab5f
Revert "Added WCE executable to test 3 (Windows Credentials Editor)" ( #728 )
...
* Revert "Added WCE executable to test 3 (#720 )"
This reverts commit 9006f3c581
2019-12-17 09:45:42 -06:00
b18c5a498d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-17 00:05:19 +00:00
3750c092bc
Add "#" before file_extension argument ( #726 )
2019-12-16 17:04:56 -07:00
c34176e00b
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-17 00:03:42 +00:00
4364411ff4
update tests ( #725 )
2019-12-16 17:03:20 -07:00
cf15882964
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-17 00:02:40 +00:00
df12b3792b
This is to add a new atomic for windows that uses curl instead of ( #724 )
...
powershell for testing in environments that do not have powershell
logging enabled (such as ours).
It will be nearly identical to the "Malicious User Agents - Nix*"*
atomic.
2019-12-16 17:02:02 -07:00
1ea8c4616c
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-17 00:00:29 +00:00
6defb7663c
Improve More Tests ( #723 )
2019-12-16 17:00:10 -07:00
4016e55313
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-16 23:57:19 +00:00
e57e2065e5
Add test for T1093 that performs Process Hollowing ( #722 )
2019-12-16 16:56:48 -07:00
9643ba9969
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-16 23:54:21 +00:00
f39c39b29a
Batch of improvements ( #721 )
...
* another batch of improvements
* delete duplicate test, extra cleaining pass
* Improve Tests
* Delete test that is way to specific to be usefull
2019-12-16 16:54:01 -07:00
86759f1971
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-16 23:51:26 +00:00
9006f3c581
Added WCE executable to test 3 ( #720 )
2019-12-16 16:51:04 -07:00
e396eb9f63
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-16 21:20:43 +00:00
de8df502af
T1518 software discovery added test, cleanup ( #718 )
...
* New test, spelling fix
Added a test for all software installed and minor spelling fix
* Spelling
2019-12-16 14:20:02 -07:00
b85fe323b8
fix default PathToAtomicsFolder ( #719 )
2019-12-11 19:20:00 -07:00
b5224846d5
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-10 22:22:06 +00:00
23d49d8108
Add test for T1502 that performs Parent PID Spoofing ( #708 )
2019-12-10 15:21:34 -07:00
e11b77f02f
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-10 18:22:55 +00:00
3293e54771
New test, spelling fix ( #717 )
...
Added a test for all software installed and minor spelling fix
2019-12-10 11:22:30 -07:00
fbda422009
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-10 18:19:40 +00:00
0c5bcef840
Batch of improvements ( #716 )
...
* another batch of improvements
* delete duplicate test, extra cleaining pass
2019-12-10 11:19:19 -07:00
890099be35
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-10 14:18:39 +00:00
0544e5e777
add psexec test ( #713 )
...
* add psexec test
* fix misspelling
* fix misspelling for real this time
* add prereq command
2019-12-10 07:18:26 -07:00
bf4c7559d0
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-10 13:51:22 +00:00
48ef8edee0
Improve tests ( #715 )
...
* continue work
* remove duplicate test, this is also in 1023
* update more tests
* cleaning pass
2019-12-10 06:51:01 -07:00
7eca6e24e4
Generate docs from job=validate_atomics_generate_docs branch=master
2019-12-09 23:08:11 +00:00
CircleCI Atomic Red Team doc generator