diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 8b2d133f..ed076b5a 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1,6 +1,8 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
+credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
+credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 221725d9..a3056af0 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -1,6 +1,8 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
+credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
+credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 1cdb7c50..a1ad99a0 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -3,6 +3,8 @@
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
+ - Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
+ - Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 30839a16..68648e42 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -3,6 +3,8 @@
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
+ - Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
+ - Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 3ffef009..00c522d2 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -82,6 +82,49 @@ credential-access:
'
name: sh
+ - name: Access /etc/{shadow,passwd} with a standard bin that's not cat
+ auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a
+ description: 'Dump /etc/passwd and /etc/shadow using ed
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_file:
+ description: Path where captured results will be placed
+ type: Path
+ default: "/tmp/T1003.008.txt"
+ executor:
+ command: 'echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+
+'
+ cleanup_command: 'rm -f #{output_file}
+
+'
+ name: bash
+ elevation_required: true
+ - name: Access /etc/{shadow,passwd} with shell builtins
+ auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713
+ description: 'Dump /etc/passwd and /etc/shadow using bash builtins
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_file:
+ description: Path where captured results will be placed
+ type: Path
+ default: "/tmp/T1003.008.txt"
+ executor:
+ command: |
+ function testcat(){ echo "$(< $1)"; }
+ testcat /etc/passwd > #{output_file}
+ testcat /etc/shadow > #{output_file}
+ cleanup_command: 'rm -f #{output_file}
+
+'
+ name: bash
+ elevation_required: true
T1557.002:
technique:
external_references:
diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md
index 496d6d4c..1e3e476b 100644
--- a/atomics/T1003.008/T1003.008.md
+++ b/atomics/T1003.008/T1003.008.md
@@ -11,6 +11,10 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
- [Atomic Test #2 - Access /etc/passwd (Local)](#atomic-test-2---access-etcpasswd-local)
+- [Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat](#atomic-test-3---access-etcshadowpasswd-with-a-standard-bin-thats-not-cat)
+
+- [Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins](#atomic-test-4---access-etcshadowpasswd-with-shell-builtins)
+
@@ -87,4 +91,80 @@ rm -f #{output_file}
+
+
+
+## Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat
+Dump /etc/passwd and /etc/shadow using ed
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+
+```bash
+echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file}
+```
+
+
+
+
+
+
+
+
+## Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins
+Dump /etc/passwd and /etc/shadow using bash builtins
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+
+```bash
+function testcat(){ echo "$(< $1)"; }
+testcat /etc/passwd > #{output_file}
+testcat /etc/shadow > #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file}
+```
+
+
+
+
+