[OSCD Sprint #2] Final Pull Request / Summary

[aw350m33d]

The last set of ART tests developed during the second OSCD sprint and a final summary of the contribution.

Summary

• 23 new tests added
• 7 existing tests improved
• 0 existing tests deprecated
• 3 new artifacts added

---

John Lambert, @JohnLaTwC US:

Added 3 artifacts:

ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba 
    ARTifacts/Initial_Access/generate-macro.ps1
    ARTifacts/Initial_Access/Office_Macro_COM.md 

---

Mateusz Wydra, @sn0w0tter PL:

Added 1 new test:

   T1113 (Screen Capture):
   - test #5 (Windows Screencapture)

---

Anton Kutepov, @aw350m33 RU:

Added 2 new tests:

    T1562.006 (Impair Defenses: Indicator Blocking):
    - test #1 (Auditing Configuration Changes on Linux Host)
    - test #2 (Logging Configuration Changes on Linux Host)

---

John Tuckner, @tuckner US:

Added 2 new tests:

    T1070.003 (Indicator Removal on Host: Clear Command History):
    - test #9 (Prevent Powershell History Logging)
    - test #10 (Clear Powershell History by Deleting History File)

---

Grégoire Clermont, @gregclermont FR:

Added 3 new tests:

    T1006 (Direct Volume Access):
    - test #1 (Read volume boot sector via DOS device path (PowerShell))
    
    T1134.001 (Access Token Manipulation: Token Impersonation/Theft):
    - test #1 (Named pipe client impersonation)
    - test #2 (SeDebugPrivilege token duplication)

---

Omkar Gudhate, @OG0Sec IN:

Added 3 new tests:

   T1137.002 (Office Application Startup: Office Test):
   - test #1 (Office Application Startup Test Persistence)
   
   T1547.010 (Boot or Logon Autostart Execution: Port Monitors):
   - test #1 (Add Port Monitor persistence in Registry)
   
   T1202 (Indirect Command Execution):
   - test #3 (Indirect Command Execution - conhost.exe)

---

Jakob Weinzettl, @mrblacyk PL:

Added 4 new tests:

    T1036.004 (Masquerading: Masquerade Task or Service):
    - test #1 (Creating W32Time similar named service using schtasks)
    - test #2 (Creating W32Time similar named service using sc)
    
    T1136.002 (Create Account: Domain Account):
    - test #1 (Create a new Windows domain admin user)
    - test #2 (Create a new account similar to ANONYMOUS LOGON)

---

Hare Sudhan Muthusamy @0x6cdev US:

Added 5 new tests:

    T1497.001 (Virtualization/Sandbox Evasion: System Checks): 
    - test #1 (Detect Virtualization Environment (Linux))
    - test #2 (Detect Virtualization Environment (Windows))
    - test #3 (Detect Virtualization Environment (MacOS))
    
    T1115 (Clipboard Data): 
    - test #3 (Execute commands from clipboard)
    
    T1098.004 (SSH Authorized Keys): 
    - test #1 (Modify SSH Authorized Keys)

---

Daniil Yugoslavskiy, @yugoslavskiy RU:

Added 3 new tests:

    T1562.001 (Impair Defenses: Disable or Modify Tools):
    - test #8 (Disable macOS Gatekeeper)
                     
    T1564.002 (Hide Artifacts: Hidden Users):
    - test #2 (Create Hidden User using IsHidden option)
    
    T1518.001 (Software Discovery: Security Software Discovery):
    - test #4 (Security Software Discovery - ps (Linux))

Improved 7 tests:

   T1518.001 (Software Discovery: Security Software Discovery):
   - test #3 (Security Software Discovery - ps (macOS))

   T1553.001 (Subvert Trust Controls: Gatekeeper Bypass):
   - test #1 (Gatekeeper Bypass)
   
   T1562.001 (Impair Defenses: Disable or Modify Tools):
   - test #4 (Stop Crowdstrike Falcon on Linux)
   - test #5 (Disable Carbon Black Response)               
   - test #6 (Disable LittleSnitch)
   - test #7 (Disable OpenDNS Umbrella)

   T1564.002 (Hide Artifacts: Hidden Users):
   - test #1 (Create Hidden User using UniqueID < 500)

[aw350m33d]

The final pull request is ready!

The contribution of each of the participants are presented in this summary. This overview presents both the rules that have already been merged into the master branch and those that have remained in the oscd branch until now.

Please let me know if I need to fix anything.

[clr2of8]

Excellent, thank you!