For binary to not be quarantined, Windows Defender must be disabled on Windows Host running HyperV and Windows10 lab.

Activity should be run from Windows 10 lab.

Disable windows defender on the Host and VM and run the following command to rebuilt the binary:

Set up Tools (and disable Windows Defender)

Note: Run on target Win10 Lab and the Host OS

## Quick Script for Effecient Tool Dropping
## Disable Windows Defender Before Downloading Atomic
Set-MpPreference -drtm $True
Set-MpPreference -dbm $True
Set-MpPreference -dscrptsc $True
Set-MpPreference -dbaf $True
## Install Atomic Red Team and Invoke-Atomic in C:\AtomicRedTeam
IEX (IWR '' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics

Running Atomic Tests

Run the AtomicTests by typing Invoke-AtomicTest into your Powershell terminal. Then type a - and the test number you want to run. Review options here: atomic Note some

# If you want to run the first and second Atomic test for Technique T1218.010
Invoke-AtomicTest T1218.010-1,2
# or using the long form
Invoke-AtomicTest T1218.010 -TestNumbers 1,2
# or using the short form ..

If you run things manually, be sure to run the cleanup. If you let Invoke-AtomicTest run the test, it will clean up after its self.

Generic and Recognizable Techniques Using Atomic

T1053.005-1 Scheduled Task Startup Script

Invoke-AtomicTest T1053.005-1

T1012.1 Query a Registry
T1112-1 Modify Registry
T1615-1 Group Policy Discovery
T1615-2 Group Policy Discovery
T1082-1 System Information Discovery
T1003.001-1 OS Credential Dumping: LSASS

IcedID Emulation

IcedID is a banking trojan with three major variants that is currently making the news.

Mount an ISO image and run executable from the ISO

Invoke-AtomicTest T1553.005-1

System Network Configuration Discovery on Windows

Invoke-AtomicTest T1016

Security Software Discovery - AV Discovery via WMI

Invoke-AtomicTest T1518.001

System Information Discovery

Invoke-AtomicTest T1082

Windows - Discover domain trusts with nltest

Invoke-AtomicTest T1482

Scheduled Task Startup Script

Invoke-AtomicTest T1053.005

Process Hollowing using PowerShell

Invoke-AtomicTest T1055.012

All attacks compiled

Invoke-AtomicTest T1553.005-1
Invoke-AtomicTest T1016
Invoke-AtomicTest T1518.001
Invoke-AtomicTest T1082
Invoke-AtomicTest T1482
Invoke-AtomicTest T1053.005
Invoke-AtomicTest T1055.012


T1082-1	System Information Discovery
T1105-7 Ingress Tool Transfer
T1069.002-1 Domain Groups
T1566.001-1 Spearphishing Attachment
T1055.004-1 Asynchronous Procedure Call
T1218.007-1 Msiexec
T1053.005-1 Scheduled Task/Job: Scheduled Task
T1547.009-1  Boot or Logon Autostart Execution: Shortcut Modification
T1204.002-1	Malicious File

### Extended Untested
T1071.001-1 Web Protocols
T1547.001-1 Registry Run Keys / Startup Folder
T1546.013-1 Event Triggered Execution: PowerShell Profile
T1564.003 Hide Artifacts: Hidden Window
T1105-7 Ingress Tool Transfer
T1027.002-1	Software Packing

Simple Path

Fail a Password Logon Reset a Password Query a Registry