Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1657-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1658-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -1926,6 +1926,7 @@ discovery,T1518.001,Software Discovery: Security Software Discovery,7,Security S
 discovery,T1518.001,Software Discovery: Security Software Discovery,8,Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets,015cd268-996e-4c32-8347-94c80c6286ee,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,9,Security Software Discovery - Windows Defender Enumeration,d3415a0e-66ef-429b-acf4-a768876954f6,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,10,Security Software Discovery - Windows Firewall Enumeration,9dca5a1d-f78c-4a8d-accb-d6de67cfed6b,powershell
+discovery,T1518.001,Software Discovery: Security Software Discovery,11,Get Windows Defender exclusion settings using WMIC,e31564c8-4c60-40cd-a8f4-9261307e8336,command_prompt
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1302,6 +1302,7 @@ discovery,T1518.001,Software Discovery: Security Software Discovery,7,Security S
 discovery,T1518.001,Software Discovery: Security Software Discovery,8,Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets,015cd268-996e-4c32-8347-94c80c6286ee,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,9,Security Software Discovery - Windows Defender Enumeration,d3415a0e-66ef-429b-acf4-a768876954f6,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,10,Security Software Discovery - Windows Firewall Enumeration,9dca5a1d-f78c-4a8d-accb-d6de67cfed6b,powershell
+discovery,T1518.001,Software Discovery: Security Software Discovery,11,Get Windows Defender exclusion settings using WMIC,e31564c8-4c60-40cd-a8f4-9261307e8336,command_prompt
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
 discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -2608,6 +2608,7 @@
   - Atomic Test #8: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets [windows]
   - Atomic Test #9: Security Software Discovery - Windows Defender Enumeration [windows]
   - Atomic Test #10: Security Software Discovery - Windows Firewall Enumeration [windows]
+  - Atomic Test #11: Get Windows Defender exclusion settings using WMIC [windows]
 - [T1526 Cloud Service Discovery](../../T1526/T1526.md)
   - Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1830,6 +1830,7 @@
   - Atomic Test #8: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets [windows]
   - Atomic Test #9: Security Software Discovery - Windows Defender Enumeration [windows]
   - Atomic Test #10: Security Software Discovery - Windows Firewall Enumeration [windows]
+  - Atomic Test #11: Get Windows Defender exclusion settings using WMIC [windows]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
   - Atomic Test #1: Remote System Discovery - net [windows]
   - Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]

atomics/Indexes/index.yaml

@@ -106172,6 +106172,25 @@ discovery:
           Get-NetFirewallRule | select DisplayName, Enabled, Description
         name: powershell
         elevation_required: true
+    - name: Get Windows Defender exclusion settings using WMIC
+      auto_generated_guid: e31564c8-4c60-40cd-a8f4-9261307e8336
+      description: "In this test, a WMIC command is used to probe the local Windows
+        system for the configuration of Windows Defender's exclusions. This command
+        targets the MSFT_MpPreference \nclass within the Windows Management Instrumentation
+        (WMI) namespace, allowing the retrieval of critical settings such as disabled
+        real-time monitoring and specified \nexclusion paths, file extensions, and
+        processes. Attackers might use this approach to understand what is excluded
+        from antivirus scans, enabling further exploitation.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'wmic /Node:localhost /Namespace:\\root\Microsoft\Windows\Defender
+          Path MSFT_MpPreference Get /format:list | findstr /i /C:"DisableRealtimeMonitoring"
+          /C:"ExclusionPath" /C:"ExclusionExtension" /C:"ExclusionProcess"
+
+          '
   T1526:
     technique:
       modified: '2023-10-31T14:00:00.188Z'

atomics/Indexes/windows-index.yaml

@@ -86901,6 +86901,25 @@ discovery:
           Get-NetFirewallRule | select DisplayName, Enabled, Description
         name: powershell
         elevation_required: true
+    - name: Get Windows Defender exclusion settings using WMIC
+      auto_generated_guid: e31564c8-4c60-40cd-a8f4-9261307e8336
+      description: "In this test, a WMIC command is used to probe the local Windows
+        system for the configuration of Windows Defender's exclusions. This command
+        targets the MSFT_MpPreference \nclass within the Windows Management Instrumentation
+        (WMI) namespace, allowing the retrieval of critical settings such as disabled
+        real-time monitoring and specified \nexclusion paths, file extensions, and
+        processes. Attackers might use this approach to understand what is excluded
+        from antivirus scans, enabling further exploitation.\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'wmic /Node:localhost /Namespace:\\root\Microsoft\Windows\Defender
+          Path MSFT_MpPreference Get /format:list | findstr /i /C:"DisableRealtimeMonitoring"
+          /C:"ExclusionPath" /C:"ExclusionExtension" /C:"ExclusionProcess"
+
+          '
   T1526:
     technique:
       modified: '2023-10-31T14:00:00.188Z'

atomics/T1518.001/T1518.001.md

@@ -28,6 +28,8 @@ Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques
 
 - [Atomic Test #10 - Security Software Discovery - Windows Firewall Enumeration](#atomic-test-10---security-software-discovery---windows-firewall-enumeration)
 
+- [Atomic Test #11 - Get Windows Defender exclusion settings using WMIC](#atomic-test-11---get-windows-defender-exclusion-settings-using-wmic)
+
 
 <br/>
 
@@ -355,4 +357,34 @@ Get-NetFirewallRule | select DisplayName, Enabled, Description
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Get Windows Defender exclusion settings using WMIC
+In this test, a WMIC command is used to probe the local Windows system for the configuration of Windows Defender's exclusions. This command targets the MSFT_MpPreference 
+class within the Windows Management Instrumentation (WMI) namespace, allowing the retrieval of critical settings such as disabled real-time monitoring and specified 
+exclusion paths, file extensions, and processes. Attackers might use this approach to understand what is excluded from antivirus scans, enabling further exploitation.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e31564c8-4c60-40cd-a8f4-9261307e8336
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+wmic /Node:localhost /Namespace:\\root\Microsoft\Windows\Defender Path MSFT_MpPreference Get /format:list | findstr /i /C:"DisableRealtimeMonitoring" /C:"ExclusionPath" /C:"ExclusionExtension" /C:"ExclusionProcess"
+```
+
+
+
+
+
+
 <br/>

atomics/T1518.001/T1518.001.yaml

@@ -153,6 +153,7 @@ atomic_tests:
     name: powershell 
     elevation_required: true
 - name: Get Windows Defender exclusion settings using WMIC
+  auto_generated_guid: e31564c8-4c60-40cd-a8f4-9261307e8336
   description: |
     In this test, a WMIC command is used to probe the local Windows system for the configuration of Windows Defender's exclusions. This command targets the MSFT_MpPreference 
     class within the Windows Management Instrumentation (WMI) namespace, allowing the retrieval of critical settings such as disabled real-time monitoring and specified 

atomics/used_guids.txt

@@ -1686,3 +1686,4 @@ f6ecb109-df24-4303-8d85-1987dbae6160
 51f17016-d8fa-4360-888a-df4bf92c4a04
 96257079-cdc1-4aba-8705-3146e94b6dce
 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e
+e31564c8-4c60-40cd-a8f4-9261307e8336