You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
T1562.004 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
--> our hunt looks for some registry configurations in the fw that an attacker could use. our hunt is not yet robust enough to be able to properly analyze fw configuration (which is some stuff ART looks for). Probably a decent amount of work to pass this test
T1547.005 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md
---> should be an easyish one to fix. Need to correct the arg of the SSP dll to point to an actual DLL on disk (just use a DLL from another ART test). right now the value ART test adds doesn't reference a real file so it's going to fail. Might need to add a copy command to put this dll into system32
[copied from Discord]
T1562.004 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
--> our hunt looks for some registry configurations in the fw that an attacker could use. our hunt is not yet robust enough to be able to properly analyze fw configuration (which is some stuff ART looks for). Probably a decent amount of work to pass this test
T1547.005 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md
---> should be an easyish one to fix. Need to correct the arg of the SSP dll to point to an actual DLL on disk (just use a DLL from another ART test). right now the value ART test adds doesn't reference a real file so it's going to fail. Might need to add a copy command to put this dll into system32
T1546.015 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md
---> ART looks for very specific COM hijack that we currently don't support. 3rd tests sets a process scoped env variable which might be hard to catch currently, but first two tests should be easy
T1546.012 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md
---> NEED TO INVESTIGATE THIS ONE, we should have code that catches this already in there
T1546.011 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md
---> failing 1/3 tests it seems, might be due to it not creating a duplication detection object
T1136.001 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
----> current code relies on event logs for user creation and this doesn't always work well
The text was updated successfully, but these errors were encountered: