Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -501,6 +501,8 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,9,Create Windows Hidden File with powershell,7f66d539-4fbe-4cfa-9a56-4a2bf660c58a,powershell
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create Windows System File with powershell,d380c318-0b34-45cb-9dad-828c11891e43,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -348,6 +348,8 @@ defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,9,Create Windows Hidden File with powershell,7f66d539-4fbe-4cfa-9a56-4a2bf660c58a,powershell
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create Windows System File with powershell,d380c318-0b34-45cb-9dad-828c11891e43,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -713,6 +713,8 @@
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
   - Atomic Test #8: Hide Files Through Registry [windows]
+  - Atomic Test #9: Create Windows Hidden File with powershell [windows]
+  - Atomic Test #10: Create Windows System File with powershell [windows]
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -516,6 +516,8 @@
   - Atomic Test #3: Create Windows System File with Attrib [windows]
   - Atomic Test #4: Create Windows Hidden File with Attrib [windows]
   - Atomic Test #8: Hide Files Through Registry [windows]
+  - Atomic Test #9: Create Windows Hidden File with powershell [windows]
+  - Atomic Test #10: Create Windows System File with powershell [windows]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]

atomics/Indexes/index.yaml

@@ -28742,6 +28742,70 @@ defense-evasion:
           reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: Create Windows Hidden File with powershell
+      auto_generated_guid: 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+      description: |
+        Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "H" Hidden.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-9.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-9.txt -Force
+          $file.attributes='Hidden'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Create Windows System File with powershell
+      auto_generated_guid: d380c318-0b34-45cb-9dad-828c11891e43
+      description: |
+        Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "S" System.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-10.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-10.txt -Force
+          $file.attributes='System'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
   T1578.001:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -24526,6 +24526,70 @@ defense-evasion:
           reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: Create Windows Hidden File with powershell
+      auto_generated_guid: 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+      description: |
+        Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "H" Hidden.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-9.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-9.txt -Force
+          $file.attributes='Hidden'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Create Windows System File with powershell
+      auto_generated_guid: d380c318-0b34-45cb-9dad-828c11891e43
+      description: |
+        Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "S" System.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-10.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-10.txt -Force
+          $file.attributes='System'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
   T1578.001:
     technique:
       x_mitre_platforms:

atomics/T1564.001/T1564.001.md

@@ -26,6 +26,10 @@ Adversaries can use this to their advantage to hide files and folders anywhere o
 
 - [Atomic Test #8 - Hide Files Through Registry](#atomic-test-8---hide-files-through-registry)
 
+- [Atomic Test #9 - Create Windows Hidden File with powershell](#atomic-test-9---create-windows-hidden-file-with-powershell)
+
+- [Atomic Test #10 - Create Windows System File with powershell](#atomic-test-10---create-windows-system-file-with-powershell)
+
 
 <br/>
 
@@ -320,4 +324,106 @@ reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Create Windows Hidden File with powershell
+Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+and observe that the Attributes is "H" Hidden.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_modify | File to modify | string | %temp%&#92;T1564.001-9.txt|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$file = Get-Item $env:temp\T1564.001-9.txt -Force
+$file.attributes='Hidden'
+```
+
+#### Cleanup Commands:
+```powershell
+cmd /c 'del /A:H #{file_to_modify} >nul 2>&1'
+```
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: The file must exist on disk at specified location (#{file_to_modify})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Create Windows System File with powershell
+Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+and observe that the Attributes is "S" System.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d380c318-0b34-45cb-9dad-828c11891e43
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_modify | File to modify | string | %temp%&#92;T1564.001-10.txt|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$file = Get-Item $env:temp\T1564.001-10.txt -Force
+$file.attributes='System'
+```
+
+#### Cleanup Commands:
+```powershell
+cmd /c 'del /A:H #{file_to_modify} >nul 2>&1'
+```
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: The file must exist on disk at specified location (#{file_to_modify})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+```
+
+
+
+
 <br/>