diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 89f9040e..4d7ca8c2 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -473,6 +473,8 @@ defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-
defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
+defense-evasion,T1070.005,Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 3256d751..e620f48b 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -308,6 +308,8 @@ defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-
defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
+defense-evasion,T1070.005,Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 6fde9130..74f55a72 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -756,6 +756,8 @@
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
+ - Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
+ - Atomic Test #5: Remove Administrative Shares [windows]
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 1c7184a1..02f13f7d 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -524,6 +524,8 @@
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
+ - Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
+ - Atomic Test #5: Remove Administrative Shares [windows]
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index f2cc766a..36dec120 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31945,6 +31945,43 @@ defense-evasion:
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
name: powershell
+ - name: Disable Administrative Share Creation at Startup
+ auto_generated_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
+ description: "Administrative shares are hidden network shares created by Microsoft’s
+ Windows NT operating systems that grant system administrators \nremote access
+ to every disk volume on a network-connected system. These shares are automatically
+ created at started unless they have been\npurposefully disabled and is done
+ in this Atomic test. As Microsoft puts it, \"Missing administrative shares
+ typically \nindicate that the computer in question has been compromised by
+ malicious software.\"\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n"
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
+ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
+ cleanup_command: |
+ reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
+ reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
+ name: command_prompt
+ elevation_required: true
+ - name: Remove Administrative Shares
+ auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
+ description: "Administrative shares are hidden network shares created by Microsoft’s
+ Windows NT operating systems that grant system administrators \nremote access
+ to every disk volume on a network-connected system. As Microsoft puts it,
+ “Missing administrative shares typically \nindicate that the computer in question
+ has been compromised by malicious software.\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n"
+ supported_platforms:
+ - windows
+ executor:
+ command: for %i in (C$ IPC$ ADMIN$) do net share %i /delete
+ cleanup_command: |
+ net share ADMIN$ /UNLIMITED >nul 2>&1
+ net share C$=C:\ >nul 2>&1
+ net share IPC$ >nul 2>&1
+ name: command_prompt
+ elevation_required: true
T1027:
technique:
object_marking_refs:
diff --git a/atomics/T1070.005/T1070.005.md b/atomics/T1070.005/T1070.005.md
index db0b7daa..dbdde905 100644
--- a/atomics/T1070.005/T1070.005.md
+++ b/atomics/T1070.005/T1070.005.md
@@ -10,6 +10,10 @@
- [Atomic Test #3 - Remove Network Share PowerShell](#atomic-test-3---remove-network-share-powershell)
+- [Atomic Test #4 - Disable Administrative Share Creation at Startup](#atomic-test-4---disable-administrative-share-creation-at-startup)
+
+- [Atomic Test #5 - Remove Administrative Shares](#atomic-test-5---remove-administrative-shares)
+
@@ -111,4 +115,79 @@ Remove-FileShare -Name #{share_name}
+
+
+
+## Atomic Test #4 - Disable Administrative Share Creation at Startup
+Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators
+remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been
+purposefully disabled and is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically
+indicate that the computer in question has been compromised by malicious software."
+https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 99c657aa-ebeb-4179-a665-69288fdd12b8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
+reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
+```
+
+
+
+
+
+
+
+
+## Atomic Test #5 - Remove Administrative Shares
+Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators
+remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically
+indicate that the computer in question has been compromised by malicious software.
+https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+for %i in (C$ IPC$ ADMIN$) do net share %i /delete
+```
+
+#### Cleanup Commands:
+```cmd
+net share ADMIN$ /UNLIMITED >nul 2>&1
+net share C$=C:\ >nul 2>&1
+net share IPC$ >nul 2>&1
+```
+
+
+
+
+