Merge branch 'master' into patch-6

atomics/Indexes/Indexes-CSV/index.csv

@@ -1410,6 +1410,7 @@ credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACK
 credential-access,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
 credential-access,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
 credential-access,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
+credential-access,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -1624,6 +1625,7 @@ discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_
 discovery,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
 discovery,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
 discovery,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
+discovery,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
 discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
 discovery,T1135,Network Share Discovery,3,Network Share Discovery - FreeBSD,77e468a6-3e5c-45a1-9948-c4b5603747cb,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -916,6 +916,7 @@ credential-access,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt
 credential-access,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
 credential-access,T1040,Network Sniffing,7,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
+credential-access,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -1069,6 +1070,7 @@ discovery,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a
 discovery,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
 discovery,T1040,Network Sniffing,7,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
+discovery,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
 discovery,T1135,Network Share Discovery,4,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
 discovery,T1135,Network Share Discovery,5,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
 discovery,T1135,Network Share Discovery,6,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1987,6 +1987,7 @@
   - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
   - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
   - Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
+  - Atomic Test #16: PowerShell Network Sniffing [windows]
 - [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -2264,6 +2265,7 @@
   - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
   - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
   - Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
+  - Atomic Test #16: PowerShell Network Sniffing [windows]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
   - Atomic Test #1: Network Share Discovery [macos]
   - Atomic Test #2: Network Share Discovery - linux [linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1358,6 +1358,7 @@
   - Atomic Test #5: Windows Internal Packet Capture [windows]
   - Atomic Test #6: Windows Internal pktmon capture [windows]
   - Atomic Test #7: Windows Internal pktmon set filter [windows]
+  - Atomic Test #16: PowerShell Network Sniffing [windows]
 - [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -1565,6 +1566,7 @@
   - Atomic Test #5: Windows Internal Packet Capture [windows]
   - Atomic Test #6: Windows Internal pktmon capture [windows]
   - Atomic Test #7: Windows Internal pktmon set filter [windows]
+  - Atomic Test #16: PowerShell Network Sniffing [windows]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
   - Atomic Test #4: Network Share Discovery command prompt [windows]
   - Atomic Test #5: Network Share Discovery PowerShell [windows]

atomics/Indexes/index.yaml

@@ -83873,6 +83873,23 @@ credential-access:
           '
         name: bash
         elevation_required: true
+    - name: PowerShell Network Sniffing
+      auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+      description: |-
+        PowerShell Built-in Cmdlets to capture network traffic.
+        https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+          Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+          Start-NetEventSession -Name Capture007
+          Stop-NetEventSession -Name Capture007
+          Remove-NetEventSession -Name Capture007
+        cleanup_command: del $ENV:Temp\sniff.etl
+        name: powershell
+        elevation_required: true
   T1552.002:
     technique:
       modified: '2023-07-28T18:29:56.525Z'
@@ -94295,6 +94312,23 @@ discovery:
           '
         name: bash
         elevation_required: true
+    - name: PowerShell Network Sniffing
+      auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+      description: |-
+        PowerShell Built-in Cmdlets to capture network traffic.
+        https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+          Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+          Start-NetEventSession -Name Capture007
+          Stop-NetEventSession -Name Capture007
+          Remove-NetEventSession -Name Capture007
+        cleanup_command: del $ENV:Temp\sniff.etl
+        name: powershell
+        elevation_required: true
   T1135:
     technique:
       modified: '2023-09-29T19:44:43.870Z'
@@ -107644,14 +107678,24 @@ impact:
         elevation_required: true
     - name: Windows - Delete Volume Shadow Copies via WMI
       auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
-      description: |
-        Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-        prereq_command: |
-          if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-        get_prereq_command: |
-          wmic shadowcopy call create Volume='C:\'
+      description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is
+        used by numerous ransomware families and APT malware such as Olympic Destroyer.
+
+        '
       supported_platforms:
       - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Create volume shadow copy of C:\ .
+
+          '
+        prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
+          that satisfy the query.")) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'wmic shadowcopy call create Volume=''C:\''
+
+          '
       executor:
         command: 'wmic.exe shadowcopy delete
 

atomics/Indexes/windows-index.yaml

@@ -68344,6 +68344,23 @@ credential-access:
         cleanup_command: pktmon filter remove
         name: command_prompt
         elevation_required: true
+    - name: PowerShell Network Sniffing
+      auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+      description: |-
+        PowerShell Built-in Cmdlets to capture network traffic.
+        https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+          Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+          Start-NetEventSession -Name Capture007
+          Stop-NetEventSession -Name Capture007
+          Remove-NetEventSession -Name Capture007
+        cleanup_command: del $ENV:Temp\sniff.etl
+        name: powershell
+        elevation_required: true
   T1552.002:
     technique:
       modified: '2023-07-28T18:29:56.525Z'
@@ -76962,6 +76979,23 @@ discovery:
         cleanup_command: pktmon filter remove
         name: command_prompt
         elevation_required: true
+    - name: PowerShell Network Sniffing
+      auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+      description: |-
+        PowerShell Built-in Cmdlets to capture network traffic.
+        https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+          Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+          Start-NetEventSession -Name Capture007
+          Stop-NetEventSession -Name Capture007
+          Remove-NetEventSession -Name Capture007
+        cleanup_command: del $ENV:Temp\sniff.etl
+        name: powershell
+        elevation_required: true
   T1135:
     technique:
       modified: '2023-09-29T19:44:43.870Z'
@@ -88395,14 +88429,24 @@ impact:
         elevation_required: true
     - name: Windows - Delete Volume Shadow Copies via WMI
       auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
-      description: |
-        Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-        prereq_command: |
-          if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-        get_prereq_command: |
-          wmic shadowcopy call create Volume='C:\'
+      description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is
+        used by numerous ransomware families and APT malware such as Olympic Destroyer.
+
+        '
       supported_platforms:
       - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Create volume shadow copy of C:\ .
+
+          '
+        prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
+          that satisfy the query.")) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'wmic shadowcopy call create Volume=''C:\''
+
+          '
       executor:
         command: 'wmic.exe shadowcopy delete
 

atomics/T1040/T1040.md

@@ -42,6 +42,8 @@ On network devices, adversaries may perform network captures using [Network Devi
 
 - [Atomic Test #15 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo](#atomic-test-15---packet-capture-linux-socket-af_packetsock_raw-with-bpf-filter-for-udp-with-sudo)
 
+- [Atomic Test #16 - PowerShell Network Sniffing](#atomic-test-16---powershell-network-sniffing)
+
 
 <br/>
 
@@ -761,4 +763,41 @@ cc #{csource_path} -o #{program_path}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #16 - PowerShell Network Sniffing
+PowerShell Built-in Cmdlets to capture network traffic.
+https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9c15a7de-de14-46c3-bc2a-6d94130986ae
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+Start-NetEventSession -Name Capture007
+Stop-NetEventSession -Name Capture007
+Remove-NetEventSession -Name Capture007
+```
+
+#### Cleanup Commands:
+```powershell
+del $ENV:Temp\sniff.etl
+```
+
+
+
+
+
 <br/>

atomics/T1040/T1040.yaml

@@ -440,3 +440,21 @@ atomic_tests:
       rm -f #{program_path}
     name: bash
     elevation_required: true
+- name: PowerShell Network Sniffing
+  auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+  description: |-
+    PowerShell Built-in Cmdlets to capture network traffic.
+    https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+      Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+      Start-NetEventSession -Name Capture007
+      Stop-NetEventSession -Name Capture007
+      Remove-NetEventSession -Name Capture007
+    cleanup_command: |-
+      del $ENV:Temp\sniff.etl
+    name: powershell
+    elevation_required: true

atomics/T1490/T1490.md

@@ -90,10 +90,6 @@ vssadmin.exe create shadow /for=c:
 
 ## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
 Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-prereq_command: |
-  if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-get_prereq_command: |
-  wmic shadowcopy call create Volume='C:\'
 
 **Supported Platforms:** Windows
 
@@ -115,6 +111,18 @@ wmic.exe shadowcopy delete
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: Create volume shadow copy of C:\ .
+##### Check Prereq Commands:
+```powershell
+if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+wmic shadowcopy call create Volume='C:\'
+```
+
+
 
 
 <br/>

atomics/T1490/T1490.yaml

@@ -29,12 +29,16 @@ atomic_tests:
   auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
   description: |
     Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Create volume shadow copy of C:\ .
     prereq_command: |
       if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
     get_prereq_command: |
       wmic shadowcopy call create Volume='C:\'
-  supported_platforms:
-  - windows
   executor:
     command: |
       wmic.exe shadowcopy delete

atomics/used_guids.txt

@@ -1554,3 +1554,4 @@ c9207f3e-213d-4cc7-ad2a-7697a7237df9
 d6a0c593-be3c-41b9-913d-763b1d3bc3eb
 a4420f93-5386-4290-b780-f4f66abc7070
 47c96489-2f55-4774-a6df-39faff428f6f
+9c15a7de-de14-46c3-bc2a-6d94130986ae