Merge branch 'master' into tf

atomics/Indexes/Indexes-CSV/index.csv

@@ -520,6 +520,8 @@ privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Set
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -756,6 +758,8 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
@@ -1184,6 +1188,7 @@ discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,
 discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
 discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
 discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
+discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -384,6 +384,8 @@ privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM s
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -562,6 +564,8 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -858,6 +862,7 @@ discovery,T1016,System Network Configuration Discovery,4,System Network Configur
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
 discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
 discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
+discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -794,6 +794,8 @@
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
   - Atomic Test #2: IFEO Global Flags [windows]
@@ -1231,6 +1233,8 @@
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1921,6 +1925,7 @@
   - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
   - Atomic Test #7: Qakbot Recon [windows]
   - Atomic Test #8: List macOS Firewall Rules [macos]
+  - Atomic Test #9: DNS Server Discovery Using nslookup [windows]
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -593,6 +593,8 @@
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
   - Atomic Test #2: IFEO Global Flags [windows]
@@ -909,6 +911,8 @@
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1409,6 +1413,7 @@
   - Atomic Test #5: List Open Egress Ports [windows]
   - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
   - Atomic Test #7: Qakbot Recon [windows]
+  - Atomic Test #9: DNS Server Discovery Using nslookup [windows]
 - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]

atomics/Indexes/index.yaml

@@ -33810,6 +33810,52 @@ privilege-escalation:
         cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
           -Force -ErrorAction Ignore
 
+          '
+        name: powershell
+    - name: Winlogon HKLM Shell Key Persistence - PowerShell
+      auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
+      description: |
+        PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Shell" "explorer.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+    - name: Winlogon HKLM Userinit Key Persistence - PowerShell
+      auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+      description: |
+        PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+
           '
         name: powershell
   T1546.012:
@@ -55052,6 +55098,52 @@ persistence:
         cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
           -Force -ErrorAction Ignore
 
+          '
+        name: powershell
+    - name: Winlogon HKLM Shell Key Persistence - PowerShell
+      auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
+      description: |
+        PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Shell" "explorer.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+    - name: Winlogon HKLM Userinit Key Persistence - PowerShell
+      auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+      description: |
+        PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+
           '
         name: powershell
   T1019:
@@ -84996,6 +85088,18 @@ discovery:
           sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
         name: bash
         elevation_required: true
+    - name: DNS Server Discovery Using nslookup
+      auto_generated_guid: 34557863-344a-468f-808b-a1bfb89b4fa9
+      description: |
+        Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
+        controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+
+          '
+        name: command_prompt
   T1087:
     technique:
       x_mitre_platforms:

atomics/T1016/T1016.md

@@ -24,6 +24,8 @@ Adversaries may use the information from [System Network Configuration Discovery
 
 - [Atomic Test #8 - List macOS Firewall Rules](#atomic-test-8---list-macos-firewall-rules)
 
+- [Atomic Test #9 - DNS Server Discovery Using nslookup](#atomic-test-9---dns-server-discovery-using-nslookup)
+
 
 <br/>
 
@@ -371,4 +373,33 @@ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - DNS Server Discovery Using nslookup
+Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
+controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 34557863-344a-468f-808b-a1bfb89b4fa9
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+```
+
+
+
+
+
+
 <br/>

atomics/T1016/T1016.yaml

@@ -194,4 +194,14 @@ atomic_tests:
       sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
     name: bash
     elevation_required: true
-  
+- name: DNS Server Discovery Using nslookup
+  auto_generated_guid: 34557863-344a-468f-808b-a1bfb89b4fa9
+  description: |
+    Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
+    controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+       nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+    name: command_prompt

atomics/T1547.004/T1547.004.md

@@ -18,6 +18,10 @@ Adversaries may take advantage of these features to repeatedly execute malicious
 
 - [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell)
 
+- [Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell](#atomic-test-4---winlogon-hklm-shell-key-persistence---powershell)
+
+- [Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell](#atomic-test-5---winlogon-hklm-userinit-key-persistence---powershell)
+
 
 <br/>
 
@@ -136,4 +140,82 @@ Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell
+PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95a3c42f-8c88-4952-ad60-13b81d929a9d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell
+PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1547.004/T1547.004.yaml

@@ -1,6 +1,7 @@
 attack_technique: T1547.004
 display_name: 'Boot or Logon Autostart Execution: Winlogon Helper DLL'
 atomic_tests:
+
 - name: Winlogon Shell Key Persistence - PowerShell
   auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38
   description: |
@@ -20,6 +21,7 @@ atomic_tests:
     cleanup_command: |
       Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
     name: powershell
+    
 - name: Winlogon Userinit Key Persistence - PowerShell
   auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
   description: |
@@ -39,6 +41,7 @@ atomic_tests:
     cleanup_command: |
       Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
     name: powershell
+
 - name: Winlogon Notify Key Logon Persistence - PowerShell
   auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9
   description: |
@@ -58,4 +61,44 @@ atomic_tests:
       Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
     cleanup_command: |
       Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
-    name: powershell
+    name: powershell
+
+- name: Winlogon HKLM Shell Key Persistence - PowerShell
+  auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
+  description: |
+    PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+    Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+  supported_platforms:
+  - windows
+  input_arguments:
+    binary_to_execute:
+      description: Path of binary to execute
+      type: Path
+      default: C:\Windows\System32\cmd.exe
+  executor:
+    command: |
+      Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
+    cleanup_command: |
+      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+    name: powershell
+    
+- name: Winlogon HKLM Userinit Key Persistence - PowerShell
+  auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+  description: |
+    PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+    Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+  supported_platforms:
+  - windows
+  input_arguments:
+    binary_to_execute:
+      description: Path of binary to execute
+      type: Path
+      default: C:\Windows\System32\cmd.exe
+  executor:
+    command: |
+      Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+    cleanup_command: |
+      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+    name: powershell

atomics/used_guids.txt

@@ -1163,3 +1163,6 @@ c7a0bb71-70ce-4a53-b115-881f241b795b
 251c5936-569f-42f4-9ac2-87a173b9e9b8
 ffcbfaab-c9ff-470b-928c-f086b326089b
 333c7de0-6fbe-42aa-ac2b-c7e40b18246a
+34557863-344a-468f-808b-a1bfb89b4fa9
+95a3c42f-8c88-4952-ad60-13b81d929a9d
+f9b8daff-8fa7-4e6a-a1a7-7c14675a545b