Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address failing Atomic Red Team Tests #368

Open
ION28 opened this issue Jul 31, 2020 · 0 comments
Open

Address failing Atomic Red Team Tests #368

ION28 opened this issue Jul 31, 2020 · 0 comments

Comments

@ION28
Copy link
Owner

ION28 commented Jul 31, 2020

[copied from Discord]

T1562.004 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
--> our hunt looks for some registry configurations in the fw that an attacker could use. our hunt is not yet robust enough to be able to properly analyze fw configuration (which is some stuff ART looks for). Probably a decent amount of work to pass this test

T1547.005 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md
---> should be an easyish one to fix. Need to correct the arg of the SSP dll to point to an actual DLL on disk (just use a DLL from another ART test). right now the value ART test adds doesn't reference a real file so it's going to fail. Might need to add a copy command to put this dll into system32

T1546.015 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md
---> ART looks for very specific COM hijack that we currently don't support. 3rd tests sets a process scoped env variable which might be hard to catch currently, but first two tests should be easy

T1546.012 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md
---> NEED TO INVESTIGATE THIS ONE, we should have code that catches this already in there

T1546.011 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md
---> failing 1/3 tests it seems, might be due to it not creating a duplication detection object

T1136.001 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
----> current code relies on event logs for user creation and this doesn't always work well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants