Merge branch 'master' into patch-1

2023-10-26 13:29:05 -04:00
parent 7f6ffdcea2 6efc6d9c9d
commit e9eb19b4ac
15 changed files with 492 additions and 15 deletions
@@ -16,7 +16,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1387-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1389-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)



@@ -501,6 +501,8 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,9,Create Windows Hidden File with powershell,7f66d539-4fbe-4cfa-9a56-4a2bf660c58a,powershell
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create Windows System File with powershell,d380c318-0b34-45cb-9dad-828c11891e43,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
@@ -893,6 +895,7 @@ persistence,T1137.006,Office Application Startup: Add-ins,5,Persistent Code Exec
 persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
+persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -348,6 +348,8 @@ defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,9,Create Windows Hidden File with powershell,7f66d539-4fbe-4cfa-9a56-4a2bf660c58a,powershell
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create Windows System File with powershell,d380c318-0b34-45cb-9dad-828c11891e43,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
@@ -624,6 +626,7 @@ persistence,T1137.006,Office Application Startup: Add-ins,5,Persistent Code Exec
 persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
+persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -713,6 +713,8 @@
  - Atomic Test #6: Hide a Directory [macos]
  - Atomic Test #7: Show all hidden files [macos]
  - Atomic Test #8: Hide Files Through Registry [windows]
+  - Atomic Test #9: Create Windows Hidden File with powershell [windows]
+  - Atomic Test #10: Create Windows System File with powershell [windows]
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
@@ -1356,6 +1358,7 @@
  - Atomic Test #1: Install and Register Password Filter DLL [windows]
 - [T1505.005 Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md)
  - Atomic Test #1: Simulate Patching termsrv.dll [windows]
+  - Atomic Test #2: Modify Terminal Services DLL Path [windows]
 - [T1176 Browser Extensions](../../T1176/T1176.md)
  - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
@@ -516,6 +516,8 @@
  - Atomic Test #3: Create Windows System File with Attrib [windows]
  - Atomic Test #4: Create Windows Hidden File with Attrib [windows]
  - Atomic Test #8: Hide Files Through Registry [windows]
+  - Atomic Test #9: Create Windows Hidden File with powershell [windows]
+  - Atomic Test #10: Create Windows System File with powershell [windows]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
  - Atomic Test #1: Alternate Data Streams (ADS) [windows]
@@ -964,6 +966,7 @@
  - Atomic Test #1: Install and Register Password Filter DLL [windows]
 - [T1505.005 Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md)
  - Atomic Test #1: Simulate Patching termsrv.dll [windows]
+  - Atomic Test #2: Modify Terminal Services DLL Path [windows]
 - [T1176 Browser Extensions](../../T1176/T1176.md)
  - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
@@ -28742,6 +28742,70 @@ defense-evasion:
          reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
        name: command_prompt
        elevation_required: true
+    - name: Create Windows Hidden File with powershell
+      auto_generated_guid: 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+      description: |
+        Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "H" Hidden.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-9.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-9.txt -Force
+          $file.attributes='Hidden'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Create Windows System File with powershell
+      auto_generated_guid: d380c318-0b34-45cb-9dad-828c11891e43
+      description: |
+        Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "S" System.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-10.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-10.txt -Force
+          $file.attributes='System'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
  T1578.001:
    technique:
      x_mitre_platforms:
@@ -58619,11 +58683,13 @@ persistence:
      executor:
        elevation_required: true
        command: |
-          $ACL = Get-Acl $fileName
+          $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+          $ACL = Get-Acl $termsrvDll
          $permission = "Administrators","FullControl","Allow"
          $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
          $ACL.SetAccessRule($accessRule)
-          Set-Acl -Path $fileName -AclObject $ACL
+          Set-Acl -Path $termsrvDll -AclObject $ACL

          Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
          Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
@@ -58633,6 +58699,42 @@ persistence:

          '
        name: powershell
+    - name: Modify Terminal Services DLL Path
+      auto_generated_guid: 18136e38-0530-49b2-b309-eed173787471
+      description: This atomic test simulates the modification of the ServiceDll value
+        in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique
+        may be leveraged by adversaries to establish persistence by loading a patched
+        version of the DLL containing malicious code.
+      supported_platforms:
+      - windows
+      executor:
+        elevation_required: true
+        command: |-
+          $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+          $ACL = Get-Acl $termsrvDll
+          $permission = "Administrators","FullControl","Allow"
+          $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+          $ACL.SetAccessRule($accessRule)
+          Set-Acl -Path $termsrvDll -AclObject $ACL
+
+          Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
+
+          $newServiceDll = "$HOME\AtomicTest.dll"
+
+          $registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+
+          # Check if the registry key exists
+          if (Test-Path -Path $registryPath) {
+              # Modify the ServiceDll value in the registry
+              Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
+              Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
+          } else {
+              Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
+          }
+        cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+          -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
+        name: powershell
  T1176:
    technique:
      x_mitre_platforms:
@@ -24526,6 +24526,70 @@ defense-evasion:
          reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
        name: command_prompt
        elevation_required: true
+    - name: Create Windows Hidden File with powershell
+      auto_generated_guid: 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+      description: |
+        Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "H" Hidden.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-9.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-9.txt -Force
+          $file.attributes='Hidden'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Create Windows System File with powershell
+      auto_generated_guid: d380c318-0b34-45cb-9dad-828c11891e43
+      description: |
+        Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "S" System.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-10.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-10.txt -Force
+          $file.attributes='System'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
  T1578.001:
    technique:
      x_mitre_platforms:
@@ -50800,11 +50864,13 @@ persistence:
      executor:
        elevation_required: true
        command: |
-          $ACL = Get-Acl $fileName
+          $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+          $ACL = Get-Acl $termsrvDll
          $permission = "Administrators","FullControl","Allow"
          $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
          $ACL.SetAccessRule($accessRule)
-          Set-Acl -Path $fileName -AclObject $ACL
+          Set-Acl -Path $termsrvDll -AclObject $ACL

          Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
          Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
@@ -50814,6 +50880,42 @@ persistence:

          '
        name: powershell
+    - name: Modify Terminal Services DLL Path
+      auto_generated_guid: 18136e38-0530-49b2-b309-eed173787471
+      description: This atomic test simulates the modification of the ServiceDll value
+        in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique
+        may be leveraged by adversaries to establish persistence by loading a patched
+        version of the DLL containing malicious code.
+      supported_platforms:
+      - windows
+      executor:
+        elevation_required: true
+        command: |-
+          $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+          $ACL = Get-Acl $termsrvDll
+          $permission = "Administrators","FullControl","Allow"
+          $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+          $ACL.SetAccessRule($accessRule)
+          Set-Acl -Path $termsrvDll -AclObject $ACL
+
+          Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
+
+          $newServiceDll = "$HOME\AtomicTest.dll"
+
+          $registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+
+          # Check if the registry key exists
+          if (Test-Path -Path $registryPath) {
+              # Modify the ServiceDll value in the registry
+              Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
+              Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
+          } else {
+              Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
+          }
+        cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+          -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
+        name: powershell
  T1176:
    technique:
      x_mitre_platforms:
@@ -10,6 +10,8 @@ Adversaries may modify and/or replace the Terminal Services DLL to enable persis

 - [Atomic Test #1 - Simulate Patching termsrv.dll](#atomic-test-1---simulate-patching-termsrvdll)

+- [Atomic Test #2 - Modify Terminal Services DLL Path](#atomic-test-2---modify-terminal-services-dll-path)
+

 <br/>

@@ -31,11 +33,13 @@ Before we can make the modifications we need to take ownership of the file and g


 ```powershell
-$ACL = Get-Acl $fileName
+$termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+$ACL = Get-Acl $termsrvDll
 $permission = "Administrators","FullControl","Allow"
 $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
 $ACL.SetAccessRule($accessRule)
-Set-Acl -Path $fileName -AclObject $ACL
+Set-Acl -Path $termsrvDll -AclObject $ACL

 Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
 Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
@@ -51,4 +55,57 @@ Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Window



+<br/>
+<br/>
+
+## Atomic Test #2 - Modify Terminal Services DLL Path
+This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 18136e38-0530-49b2-b309-eed173787471
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+$ACL = Get-Acl $termsrvDll
+$permission = "Administrators","FullControl","Allow"
+$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+$ACL.SetAccessRule($accessRule)
+Set-Acl -Path $termsrvDll -AclObject $ACL
+
+Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
+
+$newServiceDll = "$HOME\AtomicTest.dll"
+
+$registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+
+# Check if the registry key exists
+if (Test-Path -Path $registryPath) {
+    # Modify the ServiceDll value in the registry
+    Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
+    Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
+} else {
+    Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
+}
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters" -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
+```
+
+
+
+
+
 <br/>
@@ -2,7 +2,7 @@ attack_technique: T1505.005
 display_name: 'Server Software Component: Terminal Services DLL'
 atomic_tests:
 - name: Simulate Patching termsrv.dll
-  auto_generated_guid: 0b2eadeb-4a64-4449-9d43-3d999f4a317b
+  auto_generated_guid: 0b2eadeb-4a64-4449-9d43-3d999f4a317b
  description: |
    Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
    Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
@@ -11,11 +11,13 @@ atomic_tests:
  executor:
    elevation_required: true
    command: |
-      $ACL = Get-Acl $fileName
+      $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+      $ACL = Get-Acl $termsrvDll
      $permission = "Administrators","FullControl","Allow"
      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
      $ACL.SetAccessRule($accessRule)
-      Set-Acl -Path $fileName -AclObject $ACL
+      Set-Acl -Path $termsrvDll -AclObject $ACL

      Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
      Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
@@ -23,3 +25,40 @@ atomic_tests:
    cleanup_command: |
      Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
    name: powershell
+
+- name: Modify Terminal Services DLL Path
+  auto_generated_guid: 18136e38-0530-49b2-b309-eed173787471
+  description: This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code.
+  supported_platforms:
+  - windows
+  executor:
+    elevation_required: true
+    command: |-
+      $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+      $ACL = Get-Acl $termsrvDll
+      $permission = "Administrators","FullControl","Allow"
+      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+      $ACL.SetAccessRule($accessRule)
+      Set-Acl -Path $termsrvDll -AclObject $ACL
+
+      Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
+
+      $newServiceDll = "$HOME\AtomicTest.dll"
+
+      $registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+
+      # Check if the registry key exists
+      if (Test-Path -Path $registryPath) {
+          # Modify the ServiceDll value in the registry
+          Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
+          Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
+      } else {
+          Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
+      }
+
+    cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters" -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
+
+    name: powershell
+
+    elevation_required: true
@@ -26,6 +26,10 @@ Adversaries can use this to their advantage to hide files and folders anywhere o

 - [Atomic Test #8 - Hide Files Through Registry](#atomic-test-8---hide-files-through-registry)

+- [Atomic Test #9 - Create Windows Hidden File with powershell](#atomic-test-9---create-windows-hidden-file-with-powershell)
+
+- [Atomic Test #10 - Create Windows System File with powershell](#atomic-test-10---create-windows-system-file-with-powershell)
+

 <br/>

@@ -320,4 +324,106 @@ reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v



+<br/>
+<br/>
+
+## Atomic Test #9 - Create Windows Hidden File with powershell
+Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+and observe that the Attributes is "H" Hidden.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_modify | File to modify | string | %temp%&#92;T1564.001-9.txt|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$file = Get-Item $env:temp\T1564.001-9.txt -Force
+$file.attributes='Hidden'
+```
+
+#### Cleanup Commands:
+```powershell
+cmd /c 'del /A:H #{file_to_modify} >nul 2>&1'
+```
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: The file must exist on disk at specified location (#{file_to_modify})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Create Windows System File with powershell
+Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+and observe that the Attributes is "S" System.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d380c318-0b34-45cb-9dad-828c11891e43
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_modify | File to modify | string | %temp%&#92;T1564.001-10.txt|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$file = Get-Item $env:temp\T1564.001-10.txt -Force
+$file.attributes='System'
+```
+
+#### Cleanup Commands:
+```powershell
+cmd /c 'del /A:H #{file_to_modify} >nul 2>&1'
+```
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: The file must exist on disk at specified location (#{file_to_modify})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+```
+
+
+
+
 <br/>
@@ -135,3 +135,59 @@ atomic_tests:
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
    name: command_prompt
    elevation_required: true
+- name: Create Windows Hidden File with powershell
+  auto_generated_guid: 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+  description: |
+    Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+    and observe that the Attributes is "H" Hidden.
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_modify:
+      description: File to modify 
+      type: string
+      default: '%temp%\T1564.001-9.txt'
+  dependency_executor_name: command_prompt
+  dependencies:
+  - description: |
+      The file must exist on disk at specified location (#{file_to_modify})
+    prereq_command: |
+      IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+    get_prereq_command: |
+      echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+  executor:
+    command: |
+      $file = Get-Item $env:temp\T1564.001-9.txt -Force
+      $file.attributes='Hidden'
+    cleanup_command: |
+      cmd /c 'del /A:H #{file_to_modify} >nul 2>&1'
+    name: powershell
+    elevation_required: true
+- name: Create Windows System File with powershell
+  auto_generated_guid: d380c318-0b34-45cb-9dad-828c11891e43
+  description: |
+    Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+    and observe that the Attributes is "S" System.
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_modify:
+      description: File to modify 
+      type: string
+      default: '%temp%\T1564.001-10.txt'
+  dependency_executor_name: command_prompt
+  dependencies:
+  - description: |
+      The file must exist on disk at specified location (#{file_to_modify})
+    prereq_command: |
+      IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+    get_prereq_command: |
+      echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+  executor:
+    command: |
+      $file = Get-Item $env:temp\T1564.001-10.txt -Force
+      $file.attributes='System'
+    cleanup_command: |
+      cmd /c 'del /A:H #{file_to_modify} >nul 2>&1'
+    name: powershell
+    elevation_required: true
@@ -1406,3 +1406,6 @@ d3415a0e-66ef-429b-acf4-a768876954f6
 b7037b89-947a-427a-ba29-e7e9f09bc045
 3a53734a-9e26-4f4b-ad15-059e767f5f14
 e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
+7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+d380c318-0b34-45cb-9dad-828c11891e43
+18136e38-0530-49b2-b309-eed173787471
@@ -362,13 +362,13 @@ files = [

 [[package]]
 name = "urllib3"
-version = "2.0.6"
+version = "2.0.7"
 description = "HTTP library with thread-safe connection pooling, file post, and more."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "urllib3-2.0.6-py3-none-any.whl", hash = "sha256:7a7c7003b000adf9e7ca2a377c9688bbc54ed41b985789ed576570342a375cd2"},
-    {file = "urllib3-2.0.6.tar.gz", hash = "sha256:b19e1a85d206b56d7df1d5e683df4a7725252a964e3993648dd0fb5a1c157564"},
+    {file = "urllib3-2.0.7-py3-none-any.whl", hash = "sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e"},
+    {file = "urllib3-2.0.7.tar.gz", hash = "sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84"},
 ]

 [package.extras]