From 65fe70a42011103379c59b72b70940418d64a332 Mon Sep 17 00:00:00 2001
From: Hare Sudhan <code@0x6c.dev>
Date: Thu, 31 Aug 2023 12:03:59 -0400
Subject: [PATCH] adding T1021.005

adding T1021.005
---
 atomics/T1021.005/T1021.005.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 atomics/T1021.005/T1021.005.yaml

diff --git a/atomics/T1021.005/T1021.005.yaml b/atomics/T1021.005/T1021.005.yaml
new file mode 100644
index 00000000..af1789dc
--- /dev/null
+++ b/atomics/T1021.005/T1021.005.yaml
@@ -0,0 +1,18 @@
+attack_technique: T1021.005
+display_name: 'Remote Services:VNC'
+atomic_tests:
+- name: Enable Apple Remote Desktop Agent
+  description: |
+    ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. 
+    Adversaries can abuse ARD to gain remote code execution and perform lateral movement.
+
+    References:  https://www.mandiant.com/resources/blog/leveraging-apple-remote-desktop-for-good-and-evil
+  supported_platforms:
+  - macos
+  executor:
+    name: sh
+    command: |
+      sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -quiet
+    cleanup_command: |
+      sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop -configure -privs -none -quiet
+    elevation_required: true