security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,339 Commits 47 Branches 0 Tags
fd93a2fe2a46db5d1766d2fc09f05fd2f12bc82f
Commit Graph

654 Commits

Author SHA1 Message Date
CircleCI Atomic Red Team doc generator fd93a2fe2a Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-15 00:46:28 +00:00
Carrie Roberts 1ec4ee2afd fixed loop counter (#583) 2019-10-14 18:46:16 -06:00
CircleCI Atomic Red Team doc generator af26d075f8 Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-08 18:40:28 +00:00
dwhite9 4f98d55d74 T1086 - Added Atomic for writing file in alternate data stream and simulating code execution. (#582) 
* Adding T1086 Alternate Data Stream atomic

* Added newline T1086
 2019-10-08 12:40:16 -06:00
CircleCI Atomic Red Team doc generator f0791ee056 Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-08 18:20:14 +00:00
h00die ca3872b352 fix savertimeout to savetimeout (#579) 2019-10-08 12:19:59 -06:00
CircleCI Atomic Red Team doc generator 641a1d027d Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-08 18:02:00 +00:00
JimmyAstle e1f2936764 Update T1038 (#581) 
Swaping on a /c for a /k so the test isnt blocking since this is spawning a new powershell session.
 2019-10-08 12:01:35 -06:00
CircleCI Atomic Red Team doc generator af8e2d4501 Generate docs from job=validate_atomics_generate_docs branch=master 2019-10-08 17:27:21 +00:00
Tony M Lambert 8d5a575af8 Add test for LKM via insmod (#580) 2019-10-08 11:27:00 -06:00
CircleCI Atomic Red Team doc generator 25fa6a75e7 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-24 14:36:14 +00:00
Andras32 9be96cf54f T1076 rdp to domain controller (#572) 
* Added MacOS and Linux isElevated check [toso: test MacOS]

* Update Invoke-AtomicTest.ps1

* Update Invoke-AtomicTest.ps1

* Update Invoke-AtomicTest.ps1

* T1076 RDP To Domain Controller
 2019-09-24 08:36:03 -06:00
CircleCI Atomic Red Team doc generator 0860bb1ec7 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-23 19:01:07 +00:00
JB 247367100b Added new atomic 'Remote System Discovery - nslookup' + typo fixes (#576) 
Added test 6:  Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.  I also formatted the name of this atomic and numbers 1 and 2 to match the others e.g. ("Remote System Discovery - [tool]")
 2019-09-23 13:00:44 -06:00
CircleCI Atomic Red Team doc generator 3bc4bf9dd2 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-21 15:21:30 +00:00
JB d492b8ce4c Added atomic "Access "unattend.xml," corrected and simplified names of all tests (#575) 
Added a new test that attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.  As well I updated the names of the tests here while keeping them simple; they were duplicated and not descriptive enough.
 2019-09-21 09:21:19 -06:00
CircleCI Atomic Red Team doc generator 150ac1ac50 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-21 15:19:44 +00:00
JB dd95258d4a T1112 atomic 4 name clarification (#574) 
Details: After further thought & discussion; suggesting a more precise name for atomic 4 (originally pulled here by me).  Changing to "Modify registry to store logon credentials," and removing the former word "downgrade."  The registry modification in this test does not actually enable a "downgrade," rather it allows the storage of auto-login credentials overall; they are resultingly stored as text, but that is not a downgrade

Testing: no testing required (only name change)

Associated Issues: none
 2019-09-21 09:19:34 -06:00
CircleCI Atomic Red Team doc generator d413ba8f0d Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-19 11:24:18 +00:00
Mike Hunter b7ed04ebd7 Fix a bug in T1081 where the macos version of grep is wrongly expected to accept the -P flag and fix a labeling bug in T1201 where a macOS command is wrongly described as a Windows command (#573) 2019-09-19 05:24:00 -06:00
CircleCI Atomic Red Team doc generator 7f35271b8e Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-17 19:17:51 +00:00
JimmyAstle a969a01805 Update T1089 - AMSI Bypass (#570) 
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
 2019-09-17 13:17:34 -06:00
CircleCI Atomic Red Team doc generator a226e2aa2e Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-17 19:09:17 +00:00
JB cb7b3f4650 Added 'Elevated group enumeration using net group' + minor titles edit (#567) 
* Added 'Elevated group enumeration using net group' + minor fix

added a new atomic ( 4), and updated attack 2 name to more clearly reflect what it is doing versus the newly added atomic (which has commands more specific to high value, elevated groups, and as well simple obfuscation)

* minor syntax fix; description clarification

* further minor clarifications to description and title
 2019-09-17 13:09:03 -06:00
CircleCI Atomic Red Team doc generator a27c73135a Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-17 18:48:01 +00:00
JimmyAstle 16cad4ed95 Update T1089 - AMSI Bypass cleanup (#569) 
Adding in a cleanup to set the amsiInitFails variable back to false
 2019-09-17 12:47:31 -06:00
CircleCI Atomic Red Team doc generator d6d68477ac Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-17 18:33:39 +00:00
JimmyAstle 26263baec9 New Detection - T1089 (#568) 
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. This is a simple atomic test that executes this unhooking behavior
 2019-09-17 12:33:22 -06:00
CircleCI Atomic Red Team doc generator 1df960f3c4 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-17 16:44:59 +00:00
Marc edc66092e3 Executor in Atomic Test #2 changed to Powershell (#504) 
The specified test doesn't work in command_prompt.
 2019-09-17 09:44:36 -07:00
CircleCI Atomic Red Team doc generator ff779dd2fb Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-17 14:45:16 +00:00
JB 8b855a5139 Added new atomic, 'Modify registry for password downgrade to plain text' (#566) 
* Added new atomic, 'Modify registry for password downgrade to plain text'

* fixed syntax on executor
 2019-09-17 08:44:55 -06:00
CircleCI Atomic Red Team doc generator ac5fb215d5 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-16 15:09:00 +00:00
JB 29a2fa0539 Added test for deletion of prefetch files (anti-forensic technique) (#564) 
Details:  Adding a new atomic for support on 1107, Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique.  An earlier version of this was drafted by Carrie Roberts (@clr2of8 )

Testing: atomic was tested with success by another jb on Windows 10, powershell with elevated privileges

Associated Issues: will also update the .md page; no issues known
 2019-09-16 09:08:43 -06:00
CircleCI Atomic Red Team doc generator 77d5d88189 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-13 15:42:16 +00:00
JimmyAstle eab43d92fb Update to T1036 (#562) 
Adding in 3 new techniques realted to popular command interpreter renaming  / running from non-std paths.
 2019-09-13 09:42:01 -06:00
CircleCI Atomic Red Team doc generator fe2539c7de Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-13 14:00:02 +00:00
JimmyAstle 971d5c2b8a Create DLL Hijacking Test - amsi bypass (#561) 
Commiting an AMSI bypass / DLL search order hijacking test.
 2019-09-13 07:59:45 -06:00
CircleCI Atomic Red Team doc generator 29ad17b01d Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-07 01:37:43 +00:00
Carrie Roberts 6f2d67e258 pipe command output to nul to keep things clean (#559) 2019-09-06 19:37:34 -06:00
CircleCI Atomic Red Team doc generator ac22c95011 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-05 01:04:02 +00:00
Carrie Roberts 75cfe33de9 Add GPP Password test definitions (#551) 
* add gpp tests

* error handling to work with ART

* search all xml files

* add verbose output

* use default path relative to atomics folder
 2019-09-04 19:03:45 -06:00
CircleCI Atomic Red Team doc generator 4bc6eb5ca1 Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-03 20:13:44 +00:00
Nick McLoota c3dc0dc593 windows subtitle wasn't properly formatted (#527) 2019-09-03 14:13:34 -06:00
CircleCI Atomic Red Team doc generator 6e0c26b97c Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-03 20:11:38 +00:00
Carrie Roberts 0859cb997a removing descriptions of xxx (left over from template) (#546) 
* removing descriptions of xxx (left over from template)

* update input param descriptions

* description update

* removing descriptions of xxx (left over from template)
 2019-09-03 14:11:18 -06:00
CircleCI Atomic Red Team doc generator 1848f84fda Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-03 16:04:49 +00:00
Carrie Roberts ce07c60109 double quote fixes (#545) 2019-09-03 10:04:32 -06:00
CircleCI Atomic Red Team doc generator 3899ee00cf Generate docs from job=validate_atomics_generate_docs branch=master 2019-09-03 15:31:13 +00:00
n0lepointer e4981743f7 Add test for T1217 that looks for bookmarks from Google Chrome browser (#536) 2019-09-03 09:30:58 -06:00