security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-11-16 00:22:19 +00:00
parent 12518d69c4
commit 275eaa9f59
7 changed files with 270 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1504/T1504.md
+47
View File
@@ -0,0 +1,47 @@
# T1504 - PowerShell Profile
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1504)
<blockquote>Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)
Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Append malicious start-process cmdlet](#atomic-test-1---append-malicious-start-process-cmdlet)
<br/>
## Atomic Test #1 - Append malicious start-process cmdlet
Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| exe_path | Path the malicious executable | Path | calc.exe|
| ps_profile | Powershell profile to use | String | $profile|
#### Run it with `powershell`!
```
if(Test-Path #{ps_profile}){
}
else{
New-Item -Path #{ps_profile} -Type File -Force
}
$malicious = "Start-Process #{exe_path}"
Add-Content #{ps_profile} -Value $malicious
powershell -command exit
```
#### Cleanup Commands:
```
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
```
<br/>
atomics/art_navigator_layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/index.md
+4 -2
View File
@@ -100,7 +100,8 @@
- Atomic Test #1: Plist Modification [macos]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1504 PowerShell Profile](./T1504/T1504.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1163 Rc.common](./T1163/T1163.md)
- Atomic Test #1: rc.common [macos]
- [T1164 Re-opened Applications](./T1164/T1164.md)
@@ -438,7 +439,8 @@
- [T1150 Plist Modification](./T1150/T1150.md)
- Atomic Test #1: Plist Modification [macos]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1504 PowerShell Profile](./T1504/T1504.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
atomics/index.yaml
+210
View File
@@ -3375,6 +3375,111 @@ persistence:
~/Library/Preferences
2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
T1504:
technique:
x_mitre_data_sources:
- Process monitoring
- File monitoring
- PowerShell logs
x_mitre_permissions_required:
- User
- Administrator
name: PowerShell Profile
description: "Adversaries may gain persistence and elevate privileges in certain
situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086)
profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that
runs when PowerShell starts and can be used as a logon script to customize
user environments. PowerShell supports several profiles depending on the user
or host program. For example, there can be different profiles for PowerShell
host programs such as the PowerShell console, PowerShell ISE or Visual Studio
Code. An administrator can also configure a profile that applies to all users
and host programs on the local computer. (Citation: Microsoft About Profiles)
\n\nAdversaries may modify these profiles to include arbitrary commands, functions,
modules, and/or PowerShell drives to gain persistence. Every time a user opens
a PowerShell session the modified script will be executed unless the <code>-NoProfile</code>
flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
\n\nAn adversary may also be able to escalate privileges if a script in a
PowerShell profile is loaded and executed by an account with higher privileges,
such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)"
id: attack-pattern--723e3a2b-ca0d-4daa-ada8-82ea35d3733a
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
type: attack-pattern
x_mitre_detection: |-
Locations where <code>profile.ps1</code> can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:
* <code>$PsHome\Profile.ps1</code>
* <code>$PsHome\Microsoft.{HostProgram}_profile.ps1</code>
* <code>$Home\My Documents\PowerShell\Profile.ps1</code>
* <code>$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1</code>
Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- Allen DeRyke, ICE
created: '2019-06-14T18:53:49.472Z'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
external_references:
- source_name: mitre-attack
external_id: T1504
url: https://attack.mitre.org/techniques/T1504
- description: Microsoft. (2017, November 29). About Profiles. Retrieved June
14, 2019.
source_name: Microsoft About Profiles
url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6
- description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell
usage. Retrieved June 14, 2019.
source_name: ESET Turla PowerShell May 2019
url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege
Elevation using the Powershell Profile. Retrieved July 8, 2019.'
source_name: Wits End and Shady PowerShell Profiles
url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html
- source_name: Malware Archaeology PowerShell Cheat Sheet
description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING
CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
modified: '2019-07-19T14:46:24.213Z'
identifier: T1504
atomic_tests:
- name: Append malicious start-process cmdlet
description: 'Appends a start process cmdlet to the current user''s powershell
profile pofile that points to a malicious executable
'
supported_platforms:
- windows
input_arguments:
exe_path:
description: Path the malicious executable
type: Path
default: calc.exe
ps_profile:
description: Powershell profile to use
type: String
default: "$profile"
executor:
name: powershell
elevation_required: false
command: |
if(Test-Path #{ps_profile}){
}
else{
New-Item -Path #{ps_profile} -Type File -Force
}
$malicious = "Start-Process #{exe_path}"
Add-Content #{ps_profile} -Value $malicious
powershell -command exit
cleanup_command: |-
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
T1163:
technique:
x_mitre_permissions_required:
@@ -12887,6 +12992,111 @@ privilege-escalation:
~/Library/Preferences
2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
T1504:
technique:
x_mitre_data_sources:
- Process monitoring
- File monitoring
- PowerShell logs
x_mitre_permissions_required:
- User
- Administrator
name: PowerShell Profile
description: "Adversaries may gain persistence and elevate privileges in certain
situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086)
profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that
runs when PowerShell starts and can be used as a logon script to customize
user environments. PowerShell supports several profiles depending on the user
or host program. For example, there can be different profiles for PowerShell
host programs such as the PowerShell console, PowerShell ISE or Visual Studio
Code. An administrator can also configure a profile that applies to all users
and host programs on the local computer. (Citation: Microsoft About Profiles)
\n\nAdversaries may modify these profiles to include arbitrary commands, functions,
modules, and/or PowerShell drives to gain persistence. Every time a user opens
a PowerShell session the modified script will be executed unless the <code>-NoProfile</code>
flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
\n\nAn adversary may also be able to escalate privileges if a script in a
PowerShell profile is loaded and executed by an account with higher privileges,
such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)"
id: attack-pattern--723e3a2b-ca0d-4daa-ada8-82ea35d3733a
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
type: attack-pattern
x_mitre_detection: |-
Locations where <code>profile.ps1</code> can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:
* <code>$PsHome\Profile.ps1</code>
* <code>$PsHome\Microsoft.{HostProgram}_profile.ps1</code>
* <code>$Home\My Documents\PowerShell\Profile.ps1</code>
* <code>$Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1</code>
Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- Allen DeRyke, ICE
created: '2019-06-14T18:53:49.472Z'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
external_references:
- source_name: mitre-attack
external_id: T1504
url: https://attack.mitre.org/techniques/T1504
- description: Microsoft. (2017, November 29). About Profiles. Retrieved June
14, 2019.
source_name: Microsoft About Profiles
url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6
- description: Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell
usage. Retrieved June 14, 2019.
source_name: ESET Turla PowerShell May 2019
url: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- description: 'DeRyke, A.. (2019, June 7). Lab Notes: Persistence and Privilege
Elevation using the Powershell Profile. Retrieved July 8, 2019.'
source_name: Wits End and Shady PowerShell Profiles
url: https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html
- source_name: Malware Archaeology PowerShell Cheat Sheet
description: Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING
CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
url: http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
modified: '2019-07-19T14:46:24.213Z'
identifier: T1504
atomic_tests:
- name: Append malicious start-process cmdlet
description: 'Appends a start process cmdlet to the current user''s powershell
profile pofile that points to a malicious executable
'
supported_platforms:
- windows
input_arguments:
exe_path:
description: Path the malicious executable
type: Path
default: calc.exe
ps_profile:
description: Powershell profile to use
type: String
default: "$profile"
executor:
name: powershell
elevation_required: false
command: |
if(Test-Path #{ps_profile}){
}
else{
New-Item -Path #{ps_profile} -Type File -Force
}
$malicious = "Start-Process #{exe_path}"
Add-Content #{ps_profile} -Value $malicious
powershell -command exit
cleanup_command: |-
$oldprofile = cat $profile | Select-Object -skiplast 1
Set-Content $profile -Value $oldprofile
T1055:
technique:
x_mitre_permissions_required:
atomics/matrix.md
+2 -2
View File
@@ -22,7 +22,7 @@
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Plist Modification](./T1150/T1150.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | [PowerShell Profile](./T1504/T1504.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Process Injection](./T1055/T1055.md) | [File Deletion](./T1107/T1107.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) | | | | |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Time Discovery](./T1124/T1124.md) | | | | |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | [Kernel Modules and Extensions](./T1215/T1215.md) | [Scheduled Task](./T1053/T1053.md) | [File and Directory Permissions Modification](./T1222/T1222.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | |
@@ -42,7 +42,7 @@
| | | [Plist Modification](./T1150/T1150.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Launchctl](./T1152/T1152.md) | | | | | | |
| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Masquerading](./T1036/T1036.md) | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Modify Registry](./T1112/T1112.md) | | | | | | |
| | | [PowerShell Profile](./T1504/T1504.md) | | [Modify Registry](./T1112/T1112.md) | | | | | | |
| | | [Rc.common](./T1163/T1163.md) | | [Mshta](./T1170/T1170.md) | | | | | | |
| | | [Re-opened Applications](./T1164/T1164.md) | | [NTFS File Attributes](./T1096/T1096.md) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Network Share Connection Removal](./T1126/T1126.md) | | | | | | |
atomics/windows-index.md
+4 -2
View File
@@ -211,7 +211,8 @@
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1504 PowerShell Profile](./T1504/T1504.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
@@ -293,7 +294,8 @@
- Atomic Test #1: DDEAUTO [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1504 PowerShell Profile](./T1504/T1504.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1060 Registry Run Keys / Startup Folder](./T1060/T1060.md)
- Atomic Test #1: Reg Key Run [windows]
atomics/windows-matrix.md
+2 -2
View File
@@ -17,7 +17,7 @@
| | [PowerShell](./T1086/T1086.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Network Sniffing](./T1040/T1040.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Software Discovery](./T1518/T1518.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [PowerShell Profile](./T1504/T1504.md) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
@@ -29,7 +29,7 @@
| | [Windows Management Instrumentation](./T1047/T1047.md) | [Office Application Startup](./T1137/T1137.md) | | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Windows Remote Management](./T1028/T1028.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | |
| | [XSL Script Processing](./T1220/T1220.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [PowerShell Profile](./T1504/T1504.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
| | | [Registry Run Keys / Startup Folder](./T1060/T1060.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |