Merge Develop to Master for Release v0.4.0-alpha #168
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…yKey object causes an issue
Update Registry base
The levels are Cursory, Normal, and Intensive
…lly free data to fix a memory leak caused by the reaction framework not properly handling binary registry keys
Change Hunts to use new levels
Fix a memory leak
Add detections for T1183
Mitigate smb1
Create initial test base
Add Mitigation for V-63597
Client mitigate v1153
Add filesystem module; Update hunt T1100 to use the new filesystem module; Update wrappers
Updated Coverage
* Fix Codacy Issues with README, Update Coverage Maps * Fix typo in T1186, Update coverage map with Partials * Add Status icons for Platform and OS * Update link to attack navigator * Attempt to fix spacing for Codacy * Fix spaces
* Add Mitigation to disable NBT-NS to stop T1171 * Fix typo in comment
Add detections when a webshell is identified
Repository owner
deleted a comment from
Jack-McDowell
Feb 8, 2020
Repository owner
deleted a comment from
Jack-McDowell
Feb 8, 2020
Repository owner
deleted a comment from
Jack-McDowell
Feb 8, 2020
Repository owner
deleted a comment from
Jack-McDowell
Feb 8, 2020
Repository owner
deleted a comment from
Jack-McDowell
Feb 8, 2020
Repository owner
deleted a comment from
Jack-McDowell
Feb 8, 2020
CalvinKrist
approved these changes
Feb 8, 2020
Clean up a few miscellaneous errors for merge to master
Jack-McDowell
approved these changes
Feb 8, 2020
ION28
commented
Feb 8, 2020
| * Microsoft's documentation and examples on the Windows API | ||
| * The Department of Defense's Defense Information Systems Agency (DISA) for their great work in publishing STIGs and various other technical security guidance for Windows. | ||
| * [@hasherezade](https://github.com/hasherezade)'s [PE Sieve](https://github.com/hasherezade/pe-sieve), which currently manages our process analytics |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
| * Red Canary's [Atomic Red Team Project](https://github.com/redcanaryco/atomic-red-team) which has been incredibly useful in helping to test the detections we are building | ||
| * [@op7ic](https://github.com/op7ic)'s [EDR-Testing-Script](https://github.com/op7ic/EDR-Testing-Script) Project |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
| * The [MITRE's ATT&CK Project](https://attack.mitre.org/) which has put together an amazing framework for which to consider, document, and categorize attacker tradercraft | ||
| * [Sean Metcalf](https://twitter.com/PyroTek3)'s Active Directory Security blog [ADSecurity](https://adsecurity.org/) |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
| * Microsoft's documentation and examples on the Windows API | ||
| * The Department of Defense's Defense Information Systems Agency (DISA) for their great work in publishing STIGs and various other technical security guidance for Windows. |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
| using namespace Mitigations; | ||
|
|
||
| MitigateM1042LLMNR* m1042llmnr = new MitigateM1042LLMNR(mitigationRecord); | ||
| MitigateM1042NBT* m1042nbt = new MitigateM1042NBT(mitigationRecord); |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
| auto key = RegistryKey{ HKEY_LOCAL_MACHINE, L"System\\CurrentControlSet\\Services\\LanManServer\\Parameters" }; | ||
| if(key.ValueExists(L"NullSessionPipes")){ | ||
| auto values = *key.GetValue<std::vector<std::wstring>>(L"NullSessionPipes"); | ||
| auto vGoodValues = std::vector<std::wstring>{}; |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
| } | ||
|
|
||
| if(ptr < size){ | ||
| data[ptr] = { static_cast<WCHAR>(0) }; |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
|
|
||
| template<> | ||
| bool RegistryKey::SetValue(const std::wstring& name, LPCSTR value, DWORD size, DWORD type) const { | ||
| return RegistryKey::SetRawValue(name, { PBYTE(value), strlen(value), AllocationWrapper::STACK_ALLOC }, type); |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
|
|
||
| template<> | ||
| bool RegistryKey::SetValue(const std::wstring& name, LPCWSTR value, DWORD size, DWORD type) const { | ||
| return RegistryKey::SetRawValue(name, { PBYTE(value), wcslen(value), AllocationWrapper::STACK_ALLOC }, type); |
There was a problem hiding this comment.
ION28
commented
Feb 8, 2020
| @@ -35,7 +40,7 @@ class GenericWrapper { | |||
|
|
|||
| public: | |||
|
|
|||
| GenericWrapper(T object, void(*freeFunction)(T) = [](T object){ delete object; }, T BadValue = nullptr) | |||
| GenericWrapper(T object, std::function<void(T)> freeFunction = [](T object){ delete object; }, T BadValue = nullptr) | |||
There was a problem hiding this comment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
User Level features
Architecture Features