security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,489 Commits 47 Branches 0 Tags
ff1a5cf07b4fca375a649bf7f9fd84d0cd7f45da
Commit Graph

4489 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Atomic Red Team doc generator ff1a5cf07b Generated docs from job=generate-docs branch=master [ci skip] 2022-10-19 01:25:12 +00:00
tlor89 0f6a242985 T1106_update (#2192) 
* T1106_update

* typo fix

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-18 19:24:39 -06:00
Atomic Red Team doc generator 3802eaffdf Generated docs from job=generate-docs branch=master [ci skip] 2022-10-19 01:22:59 +00:00
tlor89 e3cb7dbc2b T1105_update (#2191) 
* T1105_update

* Update the syntax issue

* typo fix

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-18 19:22:14 -06:00
Atomic Red Team doc generator 825c959f98 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-18 16:52:04 +00:00
jmac774 da55a259c9 Fix T1098.004 (#2193) 
Fix for systems with multiple authorized keys. Without quotes, the echo command separates new lines with space instead of new line character which breaks authorized_keys file in case there are multiple keys in the file.
 2022-10-18 10:51:15 -06:00
Atomic Red Team doc generator 4abb614556 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-17 16:47:12 +00:00
Atomic Red Team GUID generator 0d7ea66552 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-17 16:47:06 +00:00
Paul Michaud b9e306b765 Merge pull request #2188 from harshalcoep/master 
Added a new atomic test
 2022-10-17 16:46:40 +00:00
harshalcoep 3b3642544f Merge branch 'master' into master 2022-10-17 21:39:30 +05:30
Atomic Red Team doc generator dd2090cd6d Generated docs from job=generate-docs branch=master [ci skip] 2022-10-17 15:11:59 +00:00
tlor89 8e594d58d5 Update T1090.003.yaml (#2187) 
* Update T1090.003.yaml

Add prereq for test 1 on batch file requirements

* Update T1090.003.yaml

fixed the spacing

* Update T1090.003.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-17 09:11:19 -06:00
harshalcoep 17b0ff7915 Added a new atomic test 
We have added a new atomic test with guid ffcbfaab-c9ff-470b-928c-f086b326089b that sets two registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText to display a ransom message. While executing this atomic test, the value for these registries can be configured using the switch -PromptForInputArgs. This technique has been used by many ransomwares in the past including SynAck, Grief, Maze, Pysa, Spook, DopplePaymer, Reedemer and Kangaroo.  After encrypting files, ransomwares modify the Windows LegalNoticeCaption and LegalNoticeText registry keys to display a ransom message to victim at logon.
 2022-10-17 20:28:17 +05:30
Atomic Red Team doc generator 84cd4177fe Generated docs from job=generate-docs branch=master [ci skip] 2022-10-13 17:48:19 +00:00
harshalcoep a7bf035f55 Modify description of "Disable UAC admin consent prompt" (#2184) 
Changing the description of atomic test 251c5936-569f-42f4-9ac2-87a173b9e9b8 from "modifying the registry key" to "setting the registry key".  In this context, the word "setting" sounds more appropriate than "modifying".
 2022-10-13 11:47:48 -06:00
Atomic Red Team doc generator 112ee4dd2e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-13 14:20:53 +00:00
Atomic Red Team GUID generator 540ae0d64c Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-13 14:20:47 +00:00
harshalcoep c566f8d83f New Atomic-Test (#2183) 
* New Atomic-Test

Proposing a new atomic test "Disable UAC admin consent prompt". The existing atomic test with guid 9e8af564-53ec-407e-aaa8-3cb20c3af7f9) disables UAC by setting "EnableLUA" registry value to 0. UAC can also be disabled by setting "ConsentPromptBehaviorAdmin" registry value to 0 (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4). This registry value has been altered by several malwares in the past (https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/, https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit, https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat). Hence, proposing a new atomic test with guid 251c5936-569f-42f4-9ac2-87a173b9e9b8 that bypasses UAC by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0.

* add blog links

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-13 08:20:18 -06:00
Atomic Red Team doc generator eedbea628e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-12 19:54:00 +00:00
Atomic Red Team GUID generator b08b38f654 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-12 19:53:52 +00:00
CDub1016 3bff37d737 T1204.002 Added Test to Emulate Mirror Blast TA505 (#2180) 
* Update T1204.002.yaml

Added Mirror Blast technique.

* Update T1204.002.yaml

Added cleanup command to Mirror Blast Test.

* Add files via upload

Added Excel sheet with macro to download 7zip.

* Add files via upload

Information about macro in Mirror Blast.

* use PathToAtomicsFolder

* add link to blog

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-12 13:53:10 -06:00
Atomic Red Team doc generator cc0f4485ca Generated docs from job=generate-docs branch=master [ci skip] 2022-10-12 19:10:02 +00:00
Mohana Shankar D 051753b04f Mshta Executes Remote HTML Application (HTA) - Process Termination (#2179) 
Using sleep command to run the application for 15 seconds with start process. The process has been terminated using stop process command.
 2022-10-12 13:09:24 -06:00
Atomic Red Team doc generator 9adadb0b01 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-09 14:43:11 +00:00
Atomic Red Team GUID generator 56e61e2130 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-09 14:43:04 +00:00
Jose Enrique Hernandez d0ce538c94 Merge pull request #2081 from ketumbra/2080 
fixes #2080: macos audio recording
 2022-10-09 10:42:29 -04:00
ketumbra 14298afc74 Merge branch 'master' into 2080 2022-10-08 19:01:19 +01:00
Atomic Red Team doc generator 90212b5fa4 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-04 22:35:06 +00:00
tlor89 2c17fe046c T1082_update (#2178) 
* T1082_update

* Update prereq description

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-04 16:34:35 -06:00
Atomic Red Team doc generator c3788b083e Generated docs from job=generate-docs branch=master [ci skip] 2022-10-04 22:33:31 +00:00
tlor89 cf8cae7466 T1055 (#2177) 
* T1055

* Update input args description

Co-authored-by: Toua Lor <tlor@nti.local>
 2022-10-04 16:33:02 -06:00
Atomic Red Team doc generator 297c6a48d1 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-03 22:41:21 +00:00
tlor89 19ace944f7 T1055.004_Update (#2175) 
* T1055.004_Update

* Update T1055.004.yaml

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-03 16:40:55 -06:00
Atomic Red Team doc generator 4eb79b9d8a Generated docs from job=generate-docs branch=master [ci skip] 2022-10-03 22:37:35 +00:00
tlor89 8c02a45145 T1048.002 (#2173) 
* T1048.002

* Update T1048.002.yaml

Co-authored-by: Toua Lor <tlor@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-03 16:36:57 -06:00
Atomic Red Team doc generator 52d1f72af2 Generated docs from job=generate-docs branch=master [ci skip] 2022-10-03 22:33:32 +00:00
frack113 f41e92b834 T1547.001 Fix test a70faea1-e206-4f6f-8d9a-67379be8f6f1 (#2171) 
* Fix test a70faea1-e206-4f6f-8d9a-67379be8f6f1

* Restore b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-03 16:32:48 -06:00
Atomic Red Team doc generator 7e1529fbca Generated docs from job=generate-docs branch=master [ci skip] 2022-10-03 15:43:49 +00:00
Atomic Red Team GUID generator 5e91e948fc Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-10-03 15:43:42 +00:00
sourabhsharmasourabh d081d1dc33 New Atomic test 29 - iwr download (#2172) 
* New Atomic test 29 - iwr download

iwr or Invoke Web-Request download. Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.

* Update T1105.yaml

* Update T1105.yaml

at 793 added line for elevation required : true, as it was missed to include earlier

* Update T1105.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-10-03 09:43:01 -06:00
ketumbra 457687dc9b Merge branch 'master' into 2080 2022-09-30 22:21:40 +01:00
ketumbra 52d550c2b3 check outfile exists first and use stat for size check 
Co-authored-by: packetzero <20775507+packetzero@users.noreply.github.com>
 2022-09-30 22:20:59 +01:00
ketumbra 53e53525a8 use named var and simplify exit 2022-09-30 21:42:53 +01:00
ketumbra 9f908989d7 use named vars 
Co-authored-by: packetzero <20775507+packetzero@users.noreply.github.com>
 2022-09-30 21:15:22 +01:00
ketumbra 34ff8e44d0 use named vars 
Co-authored-by: packetzero <20775507+packetzero@users.noreply.github.com>
 2022-09-30 21:15:11 +01:00
Atomic Red Team doc generator 9e5b12c491 Generated docs from job=generate-docs branch=master [ci skip] 2022-09-30 17:12:19 +00:00
Atomic Red Team GUID generator 0186f8aba8 Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-09-30 17:12:13 +00:00
Narasimha2218 a0f872e11a UltraVNC Execution -New atomictest (#2169) 
* UltraVNC Execution -New atomictest

 An adversary may attempt to trick the user into downloading UltraVNC for use as a C2 channel.
 Upon successful execution, UltraVNC will be executed

* typo fix

* remove space

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2022-09-30 11:11:44 -06:00
Atomic Red Team doc generator 09b7ade645 Generated docs from job=generate-docs branch=master [ci skip] 2022-09-29 17:15:18 +00:00
Atomic Red Team GUID generator 5d77f4da7e Generate GUIDs from job=generate-docs branch=master [skip ci] 2022-09-29 17:15:10 +00:00