* Update T1204.002.yaml
Added a new atomic to simulate an adversary using a malicious word doc to stage malicious .bat files in appdata then execute them.
* Update T1204.002.yaml
made default ms_office_version more robust to handle box with multiple versions of office. It will select the latest
* Update T1204.002.yaml
added in the description what the .bat does
* T1014 - Driver rootkit test
Fixed Test 3 per issue #1153 .
- Added pre-req
- New comments for additional info on retrieving the capcom driver
- Added elevation required
- Added new input argument for puppetstrings.exe
Confirmed operational on win10.
* Generate docs from job=validate_atomics_generate_docs branch=T1014
* Fixed GUID
* Generate docs from job=validate_atomics_generate_docs branch=T1014
* Update used_guids.txt
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* spelling update and new test
minor spelling update and adding in test for enterprise admins group enumeration
* couple more syntax updates
couple more syntax updates
* Updating cmdline abbreviation
these are valid cmdline abbreviations. I was too quick to update :)
* Clean up swp
cleaning up swap file
* putting back original discovery commands
* one last change
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Quick test for default domain administrator account enumeration
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Update T1070.003.yaml
* Update T1078.001.yaml
* Update T1113.yaml
Remove error from screen when cleaning up for T1113-5
* Update T1197.yaml
Remove error when cleaning up for T1197-4
* Update T1562.001.yaml
Remove error from cleanup of T1562.001-23
* Update T1562.004.yaml
Remove error shown for cleanup of T15262.004-5 and T15262.004-6
* Update T1574.009.yaml
Remove error from cleanup of T1574.009-1
* Update T1553.004.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
The following [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) has been released to simulate [T1059.001](https://attack.mitre.org/techniques/T1059/001/) in various capacities including the use of `EncodedArguments`, variations of `EncodedCommand` and command line switch types. Input arguments may be manipulated as needed to enhance simulation, which all may be found by reviewing the individual Harness code or import the ATH module and run `get-help`
Adding additional tests to:
- T1059.001 - Command and Scripting Interpreter: PowerShell
For pre-req, it will use the recently released AtomicTestHarnesses [PowerShellGallery](https://www.powershellgallery.com/packages/AtomicTestHarnesses) module using `Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force`
Confirmed all tests are operational on Windows 10, non privileged user.
Ransomware actors leverage adfind to perform Active Directory recon. These tests cover most of the behaviors observed via public threat intelligence sources
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* better name
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-14
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* cleaner title
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-13
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* title clarification
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-12
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* move cleanup to cleanup command
* Generate docs from job=validate_atomics_generate_docs branch=clr2of8-patch-11
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
* Introduce AtomicTestHarness Tests to ART
Adding:
- T1134.004 - Access Token Manipulation: Parent PID Spoofing
- T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
- T1218.005 - Signed Binary Proxy Execution: Mshta
These tests utilize the recently released [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) to simulate the base tests from from each ATH Harness. Input arguments may be manipulated as needed to enhance simulation.
* Generate docs from job=validate_atomics_generate_docs branch=atomictestharness-tests
Co-authored-by: CircleCI Atomic Red Team doc generator <email>
Brian Thacker