Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1746-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1748-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -950,6 +950,7 @@ privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistenc
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+privilege-escalation,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
@@ -1103,6 +1104,7 @@ execution,T1569.002,System Services: Service Execution,7,Modifying ACL of Servic
 execution,T1569.002,System Services: Service Execution,8,Pipe Creation - PsExec Tool Execution From Suspicious Locations,004a5d68-627b-452d-af3d-43bd1fc75a3b,powershell
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+execution,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -1428,6 +1430,7 @@ persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automat
 persistence,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
+persistence,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
@@ -2224,6 +2227,7 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
+initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -445,6 +445,7 @@ impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/L
 impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
 impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
 impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
+initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -236,7 +236,8 @@
 - T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -268,7 +269,8 @@
 - T1204.004 Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1569.002 System Services: Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 
 # persistence
 - T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -356,7 +358,8 @@
 - T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -608,7 +611,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -1266,6 +1266,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
@@ -1470,6 +1471,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 
 # persistence
 - [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
@@ -1913,6 +1915,7 @@
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
+  - Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.017 Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
@@ -3096,7 +3099,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -890,7 +890,8 @@
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
+  - Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Matrices/linux-matrix.md

@@ -14,7 +14,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -15,7 +15,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |

atomics/Indexes/azure-ad-index.yaml

@@ -63319,6 +63319,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/containers-index.yaml

@@ -24222,7 +24222,48 @@ privilege-escalation:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1055.001:
     technique:
       type: attack-pattern
@@ -27881,7 +27922,48 @@ execution:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
 persistence:
   T1053.005:
     technique:
@@ -37143,7 +37225,48 @@ persistence:
       - 'Process: Process Creation'
       - 'File: File Modification'
       identifier: T1053.002
-    atomic_tests: []
+    atomic_tests:
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1556:
     technique:
       type: attack-pattern
@@ -62541,7 +62664,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/esxi-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -61848,6 +61848,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -62752,6 +62752,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -63058,6 +63058,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -62338,6 +62338,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/index.yaml

@@ -51008,6 +51008,47 @@ privilege-escalation:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1055.001:
     technique:
       type: attack-pattern
@@ -58939,6 +58980,47 @@ execution:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
 persistence:
   T1053.005:
     technique:
@@ -77705,6 +77787,47 @@ persistence:
         name: sh
         elevation_required: false
         command: 'echo "#{at_command}" | at #{time_spec}'
+    - name: At - Schedule a job via kubectl in a Pod
+      auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+      description: |
+        Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+        and submits a job with `at`. The pod is deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: ubuntu
+        pod_name:
+          description: K8s pod name to execute the command in
+          type: string
+          default: atomic-at-schedule
+        time_spec:
+          description: Time specification of when the command should run
+          type: string
+          default: now + 1 minute
+        at_command:
+          description: The command to be run
+          type: string
+          default: echo Hello from Atomic Red Team
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install
+          -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo ''#{at_command}''
+          | at #{time_spec} && at -l"
+
+          '
   T1556:
     technique:
       type: attack-pattern
@@ -124883,7 +125006,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/linux-index.yaml

@@ -74330,7 +74330,47 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
-    atomic_tests: []
+      identifier: T1195.002
+    atomic_tests:
+    - name: Simulate npm package installation on a Linux system
+      auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
+      description: 'Launches a short‑lived Kubernetes pod using the Node 18 image,
+        initializes a minimal npm project in /tmp/test, and installs the specified
+        npm package without audit/fund/package‑lock options, simulating potentially
+        suspicious package retrieval (e.g., typosquatting/dependency confusion) from
+        within a container. The pod is deleted after execution.
+
+        '
+      supported_platforms:
+      - containers
+      - linux
+      input_arguments:
+        image_name:
+          description: Name of the image
+          type: string
+          default: node:18
+        pod_name:
+          description: Name of the pod
+          type: string
+          default: atomic-npm-install
+        package_name:
+          description: NPM package to install
+          type: string
+          default: tinycolor
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: echo "kubectl must be installed"
+        prereq_command: which kubectl
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach
+          --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null
+          2>&1 && echo ''--- package.json before install ---'' && cat package.json
+          && npm install #{package_name} --no-audit --no-fund --no-package-lock &&
+          echo ''--- package.json after install ---'' && cat package.json"
+
+          '
   T1078.002:
     technique:
       type: attack-pattern

atomics/Indexes/macos-index.yaml

@@ -69034,6 +69034,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -62095,6 +62095,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/saas-index.yaml

@@ -61674,6 +61674,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/Indexes/windows-index.yaml

@@ -103203,6 +103203,7 @@ initial-access:
       x_mitre_version: '1.1'
       x_mitre_data_sources:
       - 'File: File Metadata'
+      identifier: T1195.002
     atomic_tests: []
   T1078.002:
     technique:

atomics/T1053.002/T1053.002.md

@@ -18,6 +18,8 @@ In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/
 
 - [Atomic Test #2 - At - Schedule a job](#atomic-test-2---at---schedule-a-job)
 
+- [Atomic Test #3 - At - Schedule a job via kubectl in a Pod](#atomic-test-3---at---schedule-a-job-via-kubectl-in-a-pod)
+
 
 <br/>
 
@@ -104,4 +106,53 @@ echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `syste
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - At - Schedule a job via kubectl in a Pod
+Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+and submits a job with `at`. The pod is deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_name | Name of the image | string | ubuntu|
+| pod_name | K8s pod name to execute the command in | string | atomic-at-schedule|
+| time_spec | Time specification of when the command should run | string | now + 1 minute|
+| at_command | The command to be run | string | echo Hello from Atomic Red Team|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>

atomics/T1053.002/T1053.002.yaml

@@ -55,6 +55,7 @@ atomic_tests:
     command: |-
       echo "#{at_command}" | at #{time_spec}
 - name: At - Schedule a job via kubectl in a Pod
+  auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
   description: |
     Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
     and submits a job with `at`. The pod is deleted after execution.

atomics/T1195.002/T1195.002.md

@@ -0,0 +1,62 @@
+# T1195.002 - Compromise Software Supply Chain
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1195/002)
+<blockquote>
+
+Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
+
+Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)  
+
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Simulate npm package installation on a Linux system](#atomic-test-1---simulate-npm-package-installation-on-a-linux-system)
+
+
+<br/>
+
+## Atomic Test #1 - Simulate npm package installation on a Linux system
+Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
+
+**Supported Platforms:** Containers, Linux
+
+
+**auto_generated_guid:** a9604672-cd46-493b-b58f-fd4124c22dd3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_name | Name of the image | string | node:18|
+| pod_name | Name of the pod | string | atomic-npm-install|
+| package_name | NPM package to install | string | tinycolor|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed"
+```
+
+
+
+
+<br/>

atomics/T1195.002/T1195.002.yaml

@@ -2,6 +2,7 @@ attack_technique: T1195.002
 display_name: Compromise Software Supply Chain
 atomic_tests:
 - name: Simulate npm package installation on a Linux system
+  auto_generated_guid: a9604672-cd46-493b-b58f-fd4124c22dd3
   description: |
     Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
   supported_platforms:

atomics/used_guids.txt

@@ -1769,3 +1769,5 @@ ac333fe1-ce2b-400b-a117-538634427439
 6e76f56f-2373-4a6c-a63f-98b7b72761f1
 d9efa6c7-6518-42b2-809a-4f2a8e242b9b
 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
+a9604672-cd46-493b-b58f-fd4124c22dd3