updating yaml

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1738-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1739-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Indexes-CSV/index.csv

@@ -180,6 +180,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encod
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
 defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -105,6 +105,7 @@ defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,5,Indirect Command Execution - RunMRU Dialog,de323a93-2f18-4bd5-ba60-d6fca6aeff76,powershell
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -229,6 +229,7 @@
   - Atomic Test #8: Hex decoding with shell utilities [linux, macos]
   - Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
   - Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
+  - Atomic Test #11: Expand CAB with expand.exe [windows]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #1: Windows Disable LSA Protection [windows]
   - Atomic Test #2: Disable journal logging via systemctl utility [linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -142,6 +142,7 @@
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
   - Atomic Test #2: Certutil Rename and Decode [windows]
+  - Atomic Test #11: Expand CAB with expand.exe [windows]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #1: Windows Disable LSA Protection [windows]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)

atomics/Indexes/index.yaml

@@ -8682,6 +8682,36 @@ defense-evasion:
         cleanup_command:
         name: bash
         elevation_required: false
+    - name: Expand CAB with expand.exe
+      auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+      description: |
+        Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+        Upon success, art-expand-source.txt is extracted next to the CAB.
+      supported_platforms:
+      - windows
+      input_arguments:
+        cab_path:
+          description: Path to the CAB to expand (created if missing)
+          type: path
+          default: "%TEMP%\\art-expand-test.cab"
+        output_dir:
+          description: Destination directory
+          type: path
+          default: "%TEMP%\\art-expand-out"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          mkdir "#{output_dir}" >nul 2>&1
+          echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+          makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+          pushd "#{output_dir}"
+          expand "#{cab_path}" -F:* .
+          popd
+        cleanup_command: |
+          del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+          del "#{cab_path}" >nul 2>&1
+          rmdir "#{output_dir}" /s /q >nul 2>&1
   T1562:
     technique:
       type: attack-pattern

atomics/Indexes/windows-index.yaml

@@ -6667,6 +6667,36 @@ defense-evasion:
           del %temp%\T1140_calc2.txt >nul 2>&1
           del %temp%\T1140_calc2_decoded.exe >nul 2>&1
         name: command_prompt
+    - name: Expand CAB with expand.exe
+      auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+      description: |
+        Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+        Upon success, art-expand-source.txt is extracted next to the CAB.
+      supported_platforms:
+      - windows
+      input_arguments:
+        cab_path:
+          description: Path to the CAB to expand (created if missing)
+          type: path
+          default: "%TEMP%\\art-expand-test.cab"
+        output_dir:
+          description: Destination directory
+          type: path
+          default: "%TEMP%\\art-expand-out"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          mkdir "#{output_dir}" >nul 2>&1
+          echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+          makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+          pushd "#{output_dir}"
+          expand "#{cab_path}" -F:* .
+          popd
+        cleanup_command: |
+          del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+          del "#{cab_path}" >nul 2>&1
+          rmdir "#{output_dir}" /s /q >nul 2>&1
   T1562:
     technique:
       type: attack-pattern

atomics/T1053.002/T1053.002.yaml

@@ -54,3 +54,35 @@ atomic_tests:
     elevation_required: false
     command: |-
       echo "#{at_command}" | at #{time_spec}
+
+- name: At - Schedule a job via kubectl in a Pod
+  auto_generated_guid: 9c8a5a3e-1d64-4b4a-9f9a-0e6a9c1b5f2e
+  description: |
+    Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+    and submits a job with `at`. The pod is deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    pod_name:
+      description: K8s pod name to execute the command in
+      type: string
+      default: atomic-at-schedule
+    time_spec:
+      description: Time specification of when the command should run
+      type: string
+      default: now + 1 minute
+    at_command:
+      description: The command to be run
+      type: string
+      default: echo Hello from Atomic Red Team
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=ubuntu --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"

atomics/T1140/T1140.md

@@ -32,6 +32,8 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
 
 - [Atomic Test #10 - XOR decoding and command execution using Python](#atomic-test-10---xor-decoding-and-command-execution-using-python)
 
+- [Atomic Test #11 - Expand CAB with expand.exe](#atomic-test-11---expand-cab-with-expandexe)
+
 
 <br/>
 
@@ -498,4 +500,50 @@ echo "Install Python3"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Expand CAB with expand.exe
+Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+Upon success, art-expand-source.txt is extracted next to the CAB.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cab_path | Path to the CAB to expand (created if missing) | path | %TEMP%&#92;art-expand-test.cab|
+| output_dir | Destination directory | path | %TEMP%&#92;art-expand-out|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+mkdir "#{output_dir}" >nul 2>&1
+echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+pushd "#{output_dir}"
+expand "#{cab_path}" -F:* .
+popd
+```
+
+#### Cleanup Commands:
+```cmd
+del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+del "#{cab_path}" >nul 2>&1
+rmdir "#{output_dir}" /s /q >nul 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1140/T1140.yaml

@@ -300,5 +300,35 @@ atomic_tests:
     cleanup_command: 
     name: bash
     elevation_required: false
+- name: Expand CAB with expand.exe
+  auto_generated_guid: 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11
+  description: |
+    Uses expand.exe to extract a file from a CAB created locally. This simulates adversarial use of expand on cabinet archives.
+    Upon success, art-expand-source.txt is extracted next to the CAB.
+  supported_platforms:
+  - windows
+  input_arguments:
+    cab_path:
+      description: Path to the CAB to expand (created if missing)
+      type: path
+      default: '%TEMP%\art-expand-test.cab'
+    output_dir:
+      description: Destination directory
+      type: path
+      default: '%TEMP%\art-expand-out'
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      mkdir "#{output_dir}" >nul 2>&1
+      echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
+      makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
+      pushd "#{output_dir}"
+      expand "#{cab_path}" -F:* .
+      popd
+    cleanup_command: |
+      del "PathToAtomicsFolder\T1140\src\art-expand-source.txt" >nul 2>&1
+      del "#{cab_path}" >nul 2>&1
+      rmdir "#{output_dir}" /s /q >nul 2>&1
       
 

atomics/T1195.002/T1195.002.yaml

@@ -0,0 +1,27 @@
+attack_technique: T1195.002
+display_name: Compromise Software Supply Chain
+atomic_tests:
+- name: Simulate npm package installation on a Linux system
+  description: |
+    Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
+  supported_platforms:
+    - containers
+    - linux
+  input_arguments:
+    pod_name:
+      description: Name of the pod
+      type: string
+      default: atomic-npm-install
+    package_name:
+      description: NPM package to install
+      type: string
+      default: lodash
+  dependencies:
+    - description: kubectl must be installed and configured
+      get_prereq_command: echo "kubectl must be installed"
+      prereq_command: which kubectl
+  executor:
+      name: bash
+      elevation_required: false
+      command: |
+        kubectl run #{pod_name} --image=node:18 --restart=Never --attach --rm -i -- bash -lc "mkdir /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && npm install #{package_name} --no-audit --no-fund --no-package-lock"