Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1644-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1648-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -363,6 +363,7 @@ defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection vi
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
+defense-evasion,T1222,File and Directory Permissions Modification,1,Enable Local and Remote Symbolic Links via fsutil,6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02,command_prompt
 defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
@@ -585,6 +586,7 @@ defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an e
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,sh
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
+defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,11,Clears Recycle bin via rd,f723d13d-48dc-4317-9990-cf43a9ac0bf2,command_prompt
 defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
 defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
 defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
@@ -1868,6 +1870,7 @@ discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-65
 discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
 discovery,T1057,Process Discovery,7,Process Discovery - Process Hacker,966f4c16-1925-4d9b-8ce0-01334ee0867d,powershell
 discovery,T1057,Process Discovery,8,Process Discovery - PC Hunter,b4ca838d-d013-4461-bf2c-f7132617b409,powershell
+discovery,T1057,Process Discovery,9,Launch Taskmgr from cmd to View running processes,4fd35378-39aa-481e-b7c4-e3bf49375c67,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
@@ -1899,6 +1902,7 @@ discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573b
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1012,Query Registry,4,Reg query for AlwaysInstallElevated status,6fb4c4c5-f949-4fd2-8af5-ddbc61595223,command_prompt
+discovery,T1012,Query Registry,5,Check Software Inventory Logging (SIL) status via Registry,5c784969-1d43-4ac7-8c3d-ed6d025ed10d,command_prompt
 discovery,T1614,System Location Discovery,1,Get geolocation info through IP-Lookup services using curl Windows,fe53e878-10a3-477b-963e-4367348f5af5,command_prompt
 discovery,T1614,System Location Discovery,2,"Get geolocation info through IP-Lookup services using curl freebsd, linux or macos",552b4db3-8850-412c-abce-ab5cc8a86604,bash
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -258,6 +258,7 @@ defense-evasion,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Acco
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
+defense-evasion,T1222,File and Directory Permissions Modification,1,Enable Local and Remote Symbolic Links via fsutil,6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02,command_prompt
 defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
@@ -407,6 +408,7 @@ defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a si
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
+defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,11,Clears Recycle bin via rd,f723d13d-48dc-4317-9990-cf43a9ac0bf2,command_prompt
 defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
 defense-evasion,T1622,Debugger Evasion,1,Detect a Debugger Presence in the Machine,58bd8c8d-3a1a-4467-a69c-439c75469b07,powershell
 defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
@@ -1262,6 +1264,7 @@ discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-65
 discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
 discovery,T1057,Process Discovery,7,Process Discovery - Process Hacker,966f4c16-1925-4d9b-8ce0-01334ee0867d,powershell
 discovery,T1057,Process Discovery,8,Process Discovery - PC Hunter,b4ca838d-d013-4461-bf2c-f7132617b409,powershell
+discovery,T1057,Process Discovery,9,Launch Taskmgr from cmd to View running processes,4fd35378-39aa-481e-b7c4-e3bf49375c67,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
 discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
@@ -1280,6 +1283,7 @@ discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573b
 discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
 discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1012,Query Registry,4,Reg query for AlwaysInstallElevated status,6fb4c4c5-f949-4fd2-8af5-ddbc61595223,command_prompt
+discovery,T1012,Query Registry,5,Check Software Inventory Logging (SIL) status via Registry,5c784969-1d43-4ac7-8c3d-ed6d025ed10d,command_prompt
 discovery,T1614,System Location Discovery,1,Get geolocation info through IP-Lookup services using curl Windows,fe53e878-10a3-477b-963e-4367348f5af5,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -443,7 +443,8 @@
   - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
   - Atomic Test #3: Clear Event Logs via VBA [windows]
-- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1222 File and Directory Permissions Modification](../../T1222/T1222.md)
+  - Atomic Test #1: Enable Local and Remote Symbolic Links via fsutil [windows]
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
   - Atomic Test #1: Access Token Manipulation [windows]
@@ -750,6 +751,7 @@
   - Atomic Test #8: Delete Filesystem - Linux [linux]
   - Atomic Test #9: Delete Prefetch File [windows]
   - Atomic Test #10: Delete TeamViewer Log Files [windows]
+  - Atomic Test #11: Clears Recycle bin via rd [windows]
 - [T1221 Template Injection](../../T1221/T1221.md)
   - Atomic Test #1: WINWORD Remote Template Injection [windows]
 - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2543,6 +2545,7 @@
   - Atomic Test #6: Discover Specific Process - tasklist [windows]
   - Atomic Test #7: Process Discovery - Process Hacker [windows]
   - Atomic Test #8: Process Discovery - PC Hunter [windows]
+  - Atomic Test #9: Launch Taskmgr from cmd to View running processes [windows]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
   - Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]
@@ -2579,6 +2582,7 @@
   - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
   - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
   - Atomic Test #4: Reg query for AlwaysInstallElevated status [windows]
+  - Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry [windows]
 - [T1614 System Location Discovery](../../T1614/T1614.md)
   - Atomic Test #1: Get geolocation info through IP-Lookup services using curl Windows [windows]
   - Atomic Test #2: Get geolocation info through IP-Lookup services using curl freebsd, linux or macos [macos, linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -322,7 +322,8 @@
   - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
   - Atomic Test #3: Clear Event Logs via VBA [windows]
-- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1222 File and Directory Permissions Modification](../../T1222/T1222.md)
+  - Atomic Test #1: Enable Local and Remote Symbolic Links via fsutil [windows]
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
   - Atomic Test #1: Access Token Manipulation [windows]
@@ -536,6 +537,7 @@
   - Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
   - Atomic Test #9: Delete Prefetch File [windows]
   - Atomic Test #10: Delete TeamViewer Log Files [windows]
+  - Atomic Test #11: Clears Recycle bin via rd [windows]
 - [T1221 Template Injection](../../T1221/T1221.md)
   - Atomic Test #1: WINWORD Remote Template Injection [windows]
 - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1783,6 +1785,7 @@
   - Atomic Test #6: Discover Specific Process - tasklist [windows]
   - Atomic Test #7: Process Discovery - Process Hacker [windows]
   - Atomic Test #8: Process Discovery - PC Hunter [windows]
+  - Atomic Test #9: Launch Taskmgr from cmd to View running processes [windows]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
   - Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
@@ -1806,6 +1809,7 @@
   - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
   - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
   - Atomic Test #4: Reg query for AlwaysInstallElevated status [windows]
+  - Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry [windows]
 - [T1614 System Location Discovery](../../T1614/T1614.md)
   - Atomic Test #1: Get geolocation info through IP-Lookup services using curl Windows [windows]
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)

atomics/Indexes/Matrices/matrix.md

@@ -80,7 +80,7 @@
 |  |  | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
-|  |  | [IIS Components](../../T1505.004/T1505.004.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [IIS Components](../../T1505.004/T1505.004.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution](../../T1546/T1546.md) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Create Process with Token](../../T1134.002/T1134.002.md) |  |  |  |  |  |  |  |
 |  |  | [Authentication Package](../../T1547.002/T1547.002.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -64,7 +64,7 @@
 |  |  | [Authentication Package](../../T1547.002/T1547.002.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  |  |  |
 |  |  | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
-|  |  | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  |  |  |  |  |  |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Create Process with Token](../../T1134.002/T1134.002.md) |  |  |  |  |  |  |  |
 |  |  | [BITS Jobs](../../T1197/T1197.md) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |

atomics/Indexes/azure-ad-index.yaml

@@ -6224,6 +6224,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/containers-index.yaml

@@ -6162,6 +6162,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -6128,6 +6128,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -6128,6 +6128,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -6128,6 +6128,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -6128,6 +6128,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -6128,6 +6128,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/index.yaml

@@ -15549,7 +15549,23 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
-    atomic_tests: []
+      identifier: T1222
+    atomic_tests:
+    - name: Enable Local and Remote Symbolic Links via fsutil
+      auto_generated_guid: 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02
+      description: |
+        Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+        [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+      supported_platforms:
+      - windows
+      executor:
+        command: "fsutil behavior set SymlinkEvaluation R2L:1 \nfsutil behavior set
+          SymlinkEvaluation R2R:1\n"
+        cleanup_command: |
+          fsutil behavior set SymlinkEvaluation R2L:0
+          fsutil behavior set SymlinkEvaluation R2R:0
+        name: command_prompt
+        elevation_required: true
   T1548:
     technique:
       modified: '2024-04-15T20:52:09.908Z'
@@ -28137,6 +28153,19 @@ defense-evasion:
           New-Item -Path #{teamviewer_log_file} -Force | Out-Null
           Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
         name: powershell
+    - name: Clears Recycle bin via rd
+      auto_generated_guid: f723d13d-48dc-4317-9990-cf43a9ac0bf2
+      description: |
+        An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files.
+        [Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/)
+      supported_platforms:
+      - windows
+      executor:
+        command: 'rd /s /q %systemdrive%\$RECYCLE.BIN
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1221:
     technique:
       x_mitre_platforms:
@@ -104553,6 +104582,19 @@ discovery:
         command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
         name: powershell
         elevation_required: true
+    - name: Launch Taskmgr from cmd to View running processes
+      auto_generated_guid: 4fd35378-39aa-481e-b7c4-e3bf49375c67
+      description: |
+        An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system.
+        [Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml)
+      supported_platforms:
+      - windows
+      executor:
+        command: 'taskmgr.exe /7
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1497.002:
     technique:
       x_mitre_platforms:
@@ -105484,6 +105526,21 @@ discovery:
           /v AlwaysInstallElevated      \n"
         name: command_prompt
         elevation_required: true
+    - name: Check Software Inventory Logging (SIL) status via Registry
+      auto_generated_guid: 5c784969-1d43-4ac7-8c3d-ed6d025ed10d
+      description: "Microsoft's Software Inventory Logging (SIL) collects information
+        about software installed per host basis. Adversary can use such logs to passively
+        \ncheck for existence of software of interest to them. Status of SIL can be
+        checked via registry.\n[Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg.exe query hklm\software\microsoft\windows\softwareinventorylogging
+          /v collectionstate /reg:64
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1614:
     technique:
       x_mitre_platforms:

atomics/Indexes/linux-index.yaml

@@ -8413,6 +8413,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/macos-index.yaml

@@ -7501,6 +7501,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -6128,6 +6128,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/saas-index.yaml

@@ -6128,6 +6128,7 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
+      identifier: T1222
     atomic_tests: []
   T1548:
     technique:

atomics/Indexes/windows-index.yaml

@@ -12669,7 +12669,23 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       spec_version: '2.1'
-    atomic_tests: []
+      identifier: T1222
+    atomic_tests:
+    - name: Enable Local and Remote Symbolic Links via fsutil
+      auto_generated_guid: 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02
+      description: |
+        Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+        [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+      supported_platforms:
+      - windows
+      executor:
+        command: "fsutil behavior set SymlinkEvaluation R2L:1 \nfsutil behavior set
+          SymlinkEvaluation R2R:1\n"
+        cleanup_command: |
+          fsutil behavior set SymlinkEvaluation R2L:0
+          fsutil behavior set SymlinkEvaluation R2R:0
+        name: command_prompt
+        elevation_required: true
   T1548:
     technique:
       modified: '2024-04-15T20:52:09.908Z'
@@ -23198,6 +23214,19 @@ defense-evasion:
           New-Item -Path #{teamviewer_log_file} -Force | Out-Null
           Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
         name: powershell
+    - name: Clears Recycle bin via rd
+      auto_generated_guid: f723d13d-48dc-4317-9990-cf43a9ac0bf2
+      description: |
+        An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files.
+        [Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/)
+      supported_platforms:
+      - windows
+      executor:
+        command: 'rd /s /q %systemdrive%\$RECYCLE.BIN
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1221:
     technique:
       x_mitre_platforms:
@@ -85646,6 +85675,19 @@ discovery:
         command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
         name: powershell
         elevation_required: true
+    - name: Launch Taskmgr from cmd to View running processes
+      auto_generated_guid: 4fd35378-39aa-481e-b7c4-e3bf49375c67
+      description: |
+        An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system.
+        [Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml)
+      supported_platforms:
+      - windows
+      executor:
+        command: 'taskmgr.exe /7
+
+          '
+        name: command_prompt
+        elevation_required: false
   T1497.002:
     technique:
       x_mitre_platforms:
@@ -86321,6 +86363,21 @@ discovery:
           /v AlwaysInstallElevated      \n"
         name: command_prompt
         elevation_required: true
+    - name: Check Software Inventory Logging (SIL) status via Registry
+      auto_generated_guid: 5c784969-1d43-4ac7-8c3d-ed6d025ed10d
+      description: "Microsoft's Software Inventory Logging (SIL) collects information
+        about software installed per host basis. Adversary can use such logs to passively
+        \ncheck for existence of software of interest to them. Status of SIL can be
+        checked via registry.\n[Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg.exe query hklm\software\microsoft\windows\softwareinventorylogging
+          /v collectionstate /reg:64
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1614:
     technique:
       x_mitre_platforms:

atomics/T1012/T1012.md

@@ -14,6 +14,8 @@ The Registry contains a significant amount of information about the operating sy
 
 - [Atomic Test #4 - Reg query for AlwaysInstallElevated status](#atomic-test-4---reg-query-for-alwaysinstallelevated-status)
 
+- [Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry](#atomic-test-5---check-software-inventory-logging-sil-status-via-registry)
+
 
 <br/>
 
@@ -197,4 +199,34 @@ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallEle
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry
+Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively 
+check for existence of software of interest to them. Status of SIL can be checked via registry.
+[Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5c784969-1d43-4ac7-8c3d-ed6d025ed10d
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64
+```
+
+
+
+
+
+
 <br/>

atomics/T1057/T1057.md

@@ -24,6 +24,8 @@ On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T10
 
 - [Atomic Test #8 - Process Discovery - PC Hunter](#atomic-test-8---process-discovery---pc-hunter)
 
+- [Atomic Test #9 - Launch Taskmgr from cmd to View running processes](#atomic-test-9---launch-taskmgr-from-cmd-to-view-running-processes)
+
 
 <br/>
 
@@ -316,4 +318,33 @@ Write-Host Unzipping Installing Process Hunter
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Launch Taskmgr from cmd to View running processes
+An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system.
+[Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4fd35378-39aa-481e-b7c4-e3bf49375c67
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+taskmgr.exe /7
+```
+
+
+
+
+
+
 <br/>

atomics/T1070.004/T1070.004.md

@@ -26,6 +26,8 @@ There are tools available from the host operating system to perform cleanup, but
 
 - [Atomic Test #10 - Delete TeamViewer Log Files](#atomic-test-10---delete-teamviewer-log-files)
 
+- [Atomic Test #11 - Clears Recycle bin via rd](#atomic-test-11---clears-recycle-bin-via-rd)
+
 
 <br/>
 
@@ -443,4 +445,33 @@ Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Clears Recycle bin via rd
+An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files.
+[Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f723d13d-48dc-4317-9990-cf43a9ac0bf2
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+rd /s /q %systemdrive%\$RECYCLE.BIN
+```
+
+
+
+
+
+
 <br/>

atomics/T1222/T1222.md

@@ -0,0 +1,48 @@
+# T1222 - File and Directory Permissions Modification
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1222)
+<blockquote>Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
+
+Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).
+
+Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Enable Local and Remote Symbolic Links via fsutil](#atomic-test-1---enable-local-and-remote-symbolic-links-via-fsutil)
+
+
+<br/>
+
+## Atomic Test #1 - Enable Local and Remote Symbolic Links via fsutil
+Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+fsutil behavior set SymlinkEvaluation R2L:1 
+fsutil behavior set SymlinkEvaluation R2R:1
+```
+
+#### Cleanup Commands:
+```cmd
+fsutil behavior set SymlinkEvaluation R2L:0
+fsutil behavior set SymlinkEvaluation R2R:0
+```
+
+
+
+
+
+<br/>