Merge branch 'master' into master

README.md

@@ -16,7 +16,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1387-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1389-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 

atomics/Indexes/Indexes-CSV/index.csv

@@ -501,6 +501,8 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,9,Create Windows Hidden File with powershell,7f66d539-4fbe-4cfa-9a56-4a2bf660c58a,powershell
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create Windows System File with powershell,d380c318-0b34-45cb-9dad-828c11891e43,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -348,6 +348,8 @@ defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,9,Create Windows Hidden File with powershell,7f66d539-4fbe-4cfa-9a56-4a2bf660c58a,powershell
+defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create Windows System File with powershell,d380c318-0b34-45cb-9dad-828c11891e43,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -713,6 +713,8 @@
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
   - Atomic Test #8: Hide Files Through Registry [windows]
+  - Atomic Test #9: Create Windows Hidden File with powershell [windows]
+  - Atomic Test #10: Create Windows System File with powershell [windows]
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -516,6 +516,8 @@
   - Atomic Test #3: Create Windows System File with Attrib [windows]
   - Atomic Test #4: Create Windows Hidden File with Attrib [windows]
   - Atomic Test #8: Hide Files Through Registry [windows]
+  - Atomic Test #9: Create Windows Hidden File with powershell [windows]
+  - Atomic Test #10: Create Windows System File with powershell [windows]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]

atomics/Indexes/iaas_aws-index.yaml

@@ -52364,7 +52364,7 @@ credential-access:
           -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
           [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
           -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
-          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          | grep browser_download_url | grep Linux_x86_64 | cut -d '\"' -f 4) \n  wget
           -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
           -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
       - description: 'Check if ~/.aws/credentials file has a default stanza is configured
@@ -52384,7 +52384,6 @@ credential-access:
           --force\n"
         cleanup_command: |
           export AWS_REGION=#{aws_region}
-
           echo "Cleanup detonation"
           cd #{stratus_path}
           ./stratus cleanup --all

atomics/Indexes/index.yaml

@@ -28742,6 +28742,70 @@ defense-evasion:
           reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: Create Windows Hidden File with powershell
+      auto_generated_guid: 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+      description: |
+        Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "H" Hidden.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-9.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-9.txt -Force
+          $file.attributes='Hidden'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Create Windows System File with powershell
+      auto_generated_guid: d380c318-0b34-45cb-9dad-828c11891e43
+      description: |
+        Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "S" System.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-10.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-10.txt -Force
+          $file.attributes='System'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
   T1578.001:
     technique:
       x_mitre_platforms:
@@ -89328,7 +89392,7 @@ credential-access:
           -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
           [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
           -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
-          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          | grep browser_download_url | grep Linux_x86_64 | cut -d '\"' -f 4) \n  wget
           -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
           -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
       - description: 'Check if ~/.aws/credentials file has a default stanza is configured
@@ -89348,7 +89412,6 @@ credential-access:
           --force\n"
         cleanup_command: |
           export AWS_REGION=#{aws_region}
-
           echo "Cleanup detonation"
           cd #{stratus_path}
           ./stratus cleanup --all

atomics/Indexes/linux-index.yaml

@@ -59316,7 +59316,7 @@ credential-access:
           -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
           [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
           -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
-          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          | grep browser_download_url | grep Linux_x86_64 | cut -d '\"' -f 4) \n  wget
           -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
           -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
       - description: 'Check if ~/.aws/credentials file has a default stanza is configured
@@ -59336,7 +59336,6 @@ credential-access:
           --force\n"
         cleanup_command: |
           export AWS_REGION=#{aws_region}
-
           echo "Cleanup detonation"
           cd #{stratus_path}
           ./stratus cleanup --all

atomics/Indexes/macos-index.yaml

@@ -56674,7 +56674,7 @@ credential-access:
           -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
           [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
           -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
-          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          | grep browser_download_url | grep Linux_x86_64 | cut -d '\"' -f 4) \n  wget
           -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
           -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
       - description: 'Check if ~/.aws/credentials file has a default stanza is configured
@@ -56694,7 +56694,6 @@ credential-access:
           --force\n"
         cleanup_command: |
           export AWS_REGION=#{aws_region}
-
           echo "Cleanup detonation"
           cd #{stratus_path}
           ./stratus cleanup --all

atomics/Indexes/windows-index.yaml

@@ -24526,6 +24526,70 @@ defense-evasion:
           reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: Create Windows Hidden File with powershell
+      auto_generated_guid: 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a
+      description: |
+        Creates a file and marks it as hidden through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "H" Hidden.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-9.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-9 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-9.txt -Force
+          $file.attributes='Hidden'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Create Windows System File with powershell
+      auto_generated_guid: d380c318-0b34-45cb-9dad-828c11891e43
+      description: |
+        Creates a file and marks it as System through powershell. Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
+        and observe that the Attributes is "S" System.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_modify:
+          description: File to modify
+          type: string
+          default: "%temp%\\T1564.001-10.txt"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'The file must exist on disk at specified location (#{file_to_modify})
+
+          '
+        prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+          '
+        get_prereq_command: 'echo system_Attrib_T1564.001-10 >> #{file_to_modify}
+
+          '
+      executor:
+        command: |
+          $file = Get-Item $env:temp\T1564.001-10.txt -Force
+          $file.attributes='System'
+        cleanup_command: 'cmd /c ''del /A:H #{file_to_modify} >nul 2>&1''
+
+          '
+        name: powershell
+        elevation_required: true
   T1578.001:
     technique:
       x_mitre_platforms:

atomics/T1552/T1552.md

@@ -43,7 +43,6 @@ echo "starting detonate"
 #### Cleanup Commands:
 ```sh
 export AWS_REGION=#{aws_region}
-
 echo "Cleanup detonation"
 cd #{stratus_path}
 ./stratus cleanup --all
@@ -64,7 +63,7 @@ if [ "$(uname)" == "Darwin" ]
 then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
   tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
 elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
-then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Linux_x86_64 | cut -d '"' -f 4) 
   wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
   tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
 fi

atomics/T1552/T1552.yaml

@@ -29,7 +29,7 @@ atomic_tests:
       then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
         tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
       elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
-      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Linux_x86_64 | cut -d '"' -f 4) 
         wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
         tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
       fi
@@ -49,7 +49,6 @@ atomic_tests:
       ./stratus detonate aws.credential-access.ec2-get-password-data --force
     cleanup_command: |
       export AWS_REGION=#{aws_region}
-
       echo "Cleanup detonation"
       cd #{stratus_path}
       ./stratus cleanup --all