Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1168,17 +1168,18 @@ credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,C
 credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
 credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
 credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -199,8 +199,9 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private S
 credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
 credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
 credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -165,9 +165,10 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Priva
 credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
 credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -804,14 +804,14 @@ credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray usin
 credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
 credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
 credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
-credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
+credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -1851,17 +1851,18 @@
 - [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
-  - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
-  - Atomic Test #2: Extract passwords with grep [macos, linux]
-  - Atomic Test #3: Extracting passwords with findstr [windows]
-  - Atomic Test #4: Access unattend.xml [windows]
-  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
-  - Atomic Test #6: WinPwn - sensitivefiles [windows]
-  - Atomic Test #7: WinPwn - Snaffler [windows]
-  - Atomic Test #8: WinPwn - powershellsensitive [windows]
-  - Atomic Test #9: WinPwn - passhunt [windows]
-  - Atomic Test #10: WinPwn - SessionGopher [windows]
-  - Atomic Test #11: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
+  - Atomic Test #1: Find AWS credentials [macos, linux]
+  - Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
+  - Atomic Test #3: Extract passwords with grep [macos, linux]
+  - Atomic Test #4: Extracting passwords with findstr [windows]
+  - Atomic Test #5: Access unattend.xml [windows]
+  - Atomic Test #6: Find and Access Github Credentials [macos, linux]
+  - Atomic Test #7: WinPwn - sensitivefiles [windows]
+  - Atomic Test #8: WinPwn - Snaffler [windows]
+  - Atomic Test #9: WinPwn - powershellsensitive [windows]
+  - Atomic Test #10: WinPwn - passhunt [windows]
+  - Atomic Test #11: WinPwn - SessionGopher [windows]
+  - Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1528 Steal Application Access Token](../../T1528/T1528.md)
   - Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -438,8 +438,9 @@
 - [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
-  - Atomic Test #2: Extract passwords with grep [macos, linux]
-  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
+  - Atomic Test #1: Find AWS credentials [macos, linux]
+  - Atomic Test #3: Extract passwords with grep [macos, linux]
+  - Atomic Test #6: Find and Access Github Credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -440,9 +440,10 @@
 - [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
-  - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
-  - Atomic Test #2: Extract passwords with grep [macos, linux]
-  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
+  - Atomic Test #1: Find AWS credentials [macos, linux]
+  - Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
+  - Atomic Test #3: Extract passwords with grep [macos, linux]
+  - Atomic Test #6: Find and Access Github Credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1309,14 +1309,14 @@
   - Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
   - Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
 - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
-  - Atomic Test #3: Extracting passwords with findstr [windows]
-  - Atomic Test #4: Access unattend.xml [windows]
-  - Atomic Test #6: WinPwn - sensitivefiles [windows]
-  - Atomic Test #7: WinPwn - Snaffler [windows]
-  - Atomic Test #8: WinPwn - powershellsensitive [windows]
-  - Atomic Test #9: WinPwn - passhunt [windows]
-  - Atomic Test #10: WinPwn - SessionGopher [windows]
-  - Atomic Test #11: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
+  - Atomic Test #4: Extracting passwords with findstr [windows]
+  - Atomic Test #5: Access unattend.xml [windows]
+  - Atomic Test #7: WinPwn - sensitivefiles [windows]
+  - Atomic Test #8: WinPwn - Snaffler [windows]
+  - Atomic Test #9: WinPwn - powershellsensitive [windows]
+  - Atomic Test #10: WinPwn - passhunt [windows]
+  - Atomic Test #11: WinPwn - SessionGopher [windows]
+  - Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
   - Atomic Test #1: GPP Passwords (findstr) [windows]

atomics/Indexes/index.yaml

@@ -81859,6 +81859,25 @@ credential-access:
       - Access to files
       identifier: T1552.001
     atomic_tests:
+    - name: Find AWS credentials
+      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      description: 'Find local AWS credentials from file, defaults to using / as the
+        look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+
+          '
+        name: sh
     - name: Extract Browser and System credentials with LaZagne
       auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
       description: "[LaZagne Source](https://github.com/AlessandroZ/LaZagne)\n"

atomics/Indexes/linux-index.yaml

@@ -54391,6 +54391,25 @@ credential-access:
       - Access to files
       identifier: T1552.001
     atomic_tests:
+    - name: Find AWS credentials
+      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      description: 'Find local AWS credentials from file, defaults to using / as the
+        look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+
+          '
+        name: sh
     - name: Extract passwords with grep
       auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4
       description: 'Extracting credentials from files

atomics/Indexes/macos-index.yaml

@@ -52032,6 +52032,25 @@ credential-access:
       - Access to files
       identifier: T1552.001
     atomic_tests:
+    - name: Find AWS credentials
+      auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+      description: 'Find local AWS credentials from file, defaults to using / as the
+        look path.
+
+        '
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_path:
+          description: Path to search
+          type: string
+          default: "/"
+      executor:
+        command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+
+          '
+        name: sh
     - name: Extract Browser and System credentials with LaZagne
       auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
       description: "[LaZagne Source](https://github.com/AlessandroZ/LaZagne)\n"

atomics/T1552.001/T1552.001.md

@@ -8,32 +8,67 @@ In cloud and/or containerized environments, authenticated user and service accou
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Extract Browser and System credentials with LaZagne](#atomic-test-1---extract-browser-and-system-credentials-with-lazagne)
+- [Atomic Test #1 - Find AWS credentials](#atomic-test-1---find-aws-credentials)
 
-- [Atomic Test #2 - Extract passwords with grep](#atomic-test-2---extract-passwords-with-grep)
+- [Atomic Test #2 - Extract Browser and System credentials with LaZagne](#atomic-test-2---extract-browser-and-system-credentials-with-lazagne)
 
-- [Atomic Test #3 - Extracting passwords with findstr](#atomic-test-3---extracting-passwords-with-findstr)
+- [Atomic Test #3 - Extract passwords with grep](#atomic-test-3---extract-passwords-with-grep)
 
-- [Atomic Test #4 - Access unattend.xml](#atomic-test-4---access-unattendxml)
+- [Atomic Test #4 - Extracting passwords with findstr](#atomic-test-4---extracting-passwords-with-findstr)
 
-- [Atomic Test #5 - Find and Access Github Credentials](#atomic-test-5---find-and-access-github-credentials)
+- [Atomic Test #5 - Access unattend.xml](#atomic-test-5---access-unattendxml)
 
-- [Atomic Test #6 - WinPwn - sensitivefiles](#atomic-test-6---winpwn---sensitivefiles)
+- [Atomic Test #6 - Find and Access Github Credentials](#atomic-test-6---find-and-access-github-credentials)
 
-- [Atomic Test #7 - WinPwn - Snaffler](#atomic-test-7---winpwn---snaffler)
+- [Atomic Test #7 - WinPwn - sensitivefiles](#atomic-test-7---winpwn---sensitivefiles)
 
-- [Atomic Test #8 - WinPwn - powershellsensitive](#atomic-test-8---winpwn---powershellsensitive)
+- [Atomic Test #8 - WinPwn - Snaffler](#atomic-test-8---winpwn---snaffler)
 
-- [Atomic Test #9 - WinPwn - passhunt](#atomic-test-9---winpwn---passhunt)
+- [Atomic Test #9 - WinPwn - powershellsensitive](#atomic-test-9---winpwn---powershellsensitive)
 
-- [Atomic Test #10 - WinPwn - SessionGopher](#atomic-test-10---winpwn---sessiongopher)
+- [Atomic Test #10 - WinPwn - passhunt](#atomic-test-10---winpwn---passhunt)
 
-- [Atomic Test #11 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials](#atomic-test-11---winpwn---loot-local-credentials---aws-microsoft-azure-and-google-compute-credentials)
+- [Atomic Test #11 - WinPwn - SessionGopher](#atomic-test-11---winpwn---sessiongopher)
+
+- [Atomic Test #12 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials](#atomic-test-12---winpwn---loot-local-credentials---aws-microsoft-azure-and-google-compute-credentials)
 
 
 <br/>
 
-## Atomic Test #1 - Extract Browser and System credentials with LaZagne
+## Atomic Test #1 - Find AWS credentials
+Find local AWS credentials from file, defaults to using / as the look path.
+
+**Supported Platforms:** macOS, Linux
+
+
+**auto_generated_guid:** 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_path | Path to search | string | /|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Extract Browser and System credentials with LaZagne
 [LaZagne Source](https://github.com/AlessandroZ/LaZagne)
 
 **Supported Platforms:** macOS
@@ -61,7 +96,7 @@ python2 laZagne.py all
 <br/>
 <br/>
 
-## Atomic Test #2 - Extract passwords with grep
+## Atomic Test #3 - Extract passwords with grep
 Extracting credentials from files
 
 **Supported Platforms:** macOS, Linux
@@ -94,7 +129,7 @@ grep -ri password #{file_path}
 <br/>
 <br/>
 
-## Atomic Test #3 - Extracting passwords with findstr
+## Atomic Test #4 - Extracting passwords with findstr
 Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
 
 **Supported Platforms:** Windows
@@ -123,7 +158,7 @@ ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
 <br/>
 <br/>
 
-## Atomic Test #4 - Access unattend.xml
+## Atomic Test #5 - Access unattend.xml
 Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
 If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
 
@@ -153,7 +188,7 @@ type C:\Windows\Panther\Unattend\unattend.xml
 <br/>
 <br/>
 
-## Atomic Test #5 - Find and Access Github Credentials
+## Atomic Test #6 - Find and Access Github Credentials
 This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
 
 **Supported Platforms:** macOS, Linux
@@ -181,7 +216,7 @@ for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
 <br/>
 <br/>
 
-## Atomic Test #6 - WinPwn - sensitivefiles
+## Atomic Test #7 - WinPwn - sensitivefiles
 Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
 
 **Supported Platforms:** Windows
@@ -211,7 +246,7 @@ sensitivefiles -noninteractive -consoleoutput
 <br/>
 <br/>
 
-## Atomic Test #7 - WinPwn - Snaffler
+## Atomic Test #8 - WinPwn - Snaffler
 Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
 
 **Supported Platforms:** Windows
@@ -241,7 +276,7 @@ Snaffler -noninteractive -consoleoutput
 <br/>
 <br/>
 
-## Atomic Test #8 - WinPwn - powershellsensitive
+## Atomic Test #9 - WinPwn - powershellsensitive
 Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
 
 **Supported Platforms:** Windows
@@ -271,7 +306,7 @@ powershellsensitive -consoleoutput -noninteractive
 <br/>
 <br/>
 
-## Atomic Test #9 - WinPwn - passhunt
+## Atomic Test #10 - WinPwn - passhunt
 Search for Passwords on this system using passhunt via WinPwn
 
 **Supported Platforms:** Windows
@@ -311,7 +346,7 @@ rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #10 - WinPwn - SessionGopher
+## Atomic Test #11 - WinPwn - SessionGopher
 Launches SessionGopher on this system via WinPwn
 
 **Supported Platforms:** Windows
@@ -341,7 +376,7 @@ sessionGopher -noninteractive -consoleoutput
 <br/>
 <br/>
 
-## Atomic Test #11 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
+## Atomic Test #12 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
 Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
 
 **Supported Platforms:** Windows