Generated docs from job=generate-docs branch=master [ci skip]

2025-03-12 22:54:32 +00:00
parent b5a0dbb0d7
commit 44ccc16cc1
18 changed files with 251 additions and 11 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1715-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1716-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -1360,6 +1360,7 @@ command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
 command-and-control,T1572,Protocol Tunneling,4,run ngrok,4cdc9fc7-53fb-4894-9f0c-64836943ea60,powershell
+command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
@@ -191,6 +191,7 @@ persistence,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),
 persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
+command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1095,Non-Application Layer Protocol,4,Linux ICMP Reverse Shell using icmp-cnc,8e139e1f-1f3a-4be7-901d-afae9738c064,manual
@@ -124,6 +124,7 @@ persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with
 persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
 persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
+command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
@@ -1852,6 +1852,7 @@
  - Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
  - Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
  - Atomic Test #4: run ngrok [windows]
+  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -490,7 +490,8 @@
 - T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1572 Protocol Tunneling](../../T1572/T1572.md)
+  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -435,7 +435,8 @@
 - T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1572 Protocol Tunneling](../../T1572/T1572.md)
+  - Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
 - T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -12,7 +12,7 @@
 | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -12,7 +12,7 @@
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Unsecured Credentials](../../T1552/T1552.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -77413,6 +77413,60 @@ command-and-control:
          Remove-Item C:\%userprofile%\AppData\Local\ngrok -ErrorAction Ignore
        name: powershell
        elevation_required: true
+    - name: Microsoft Dev tunnels (Linux/macOS)
+      auto_generated_guid: 9f94a112-1ce2-464d-a63b-83c1f465f801
+      description: |
+        Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.
+
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.
+        Reference:
+        - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        port:
+          description: port number for tunnel
+          type: integer
+          default: 8080
+        download_url:
+          description: link to download devtunnel
+          type: string
+          default: https://aka.ms/TunnelsCliDownload/linux-x64
+        binary_path:
+          description: path to download devtunnel
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/devtunnel
+      dependencies:
+      - description: 'Download devtunnel
+
+          '
+        prereq_command: 'test -f #{binary_path}
+
+          '
+        get_prereq_command: |
+          mkdir -p $(dirname #{binary_path})
+          curl -L "#{download_url}" -o "#{binary_path}"
+          chmod +x #{binary_path}
+      - description: 'Login to Microsoft Dev tunnels
+
+          '
+        prereq_command: '#{binary_path} user show | grep -q "Not logged in" && exit
+          1 || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to devtunnel using the following command:
+          #{binary_path} user login"
+
+          '
+      executor:
+        command: "#{binary_path} host -p #{port} &\n"
+        cleanup_command: |
+          pkill -9 $(basename "#{binary_path}")
+          #{binary_path} user logout
+          rm #{binary_path}
+        name: bash
  T1071.003:
    technique:
      modified: '2024-04-16T12:28:59.928Z'
@@ -44936,7 +44936,61 @@ command-and-control:
      - 'Network Traffic: Network Connection Creation'
      x_mitre_is_subtechnique: false
      identifier: T1572
-    atomic_tests: []
+    atomic_tests:
+    - name: Microsoft Dev tunnels (Linux/macOS)
+      auto_generated_guid: 9f94a112-1ce2-464d-a63b-83c1f465f801
+      description: |
+        Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.
+
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.
+        Reference:
+        - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        port:
+          description: port number for tunnel
+          type: integer
+          default: 8080
+        download_url:
+          description: link to download devtunnel
+          type: string
+          default: https://aka.ms/TunnelsCliDownload/linux-x64
+        binary_path:
+          description: path to download devtunnel
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/devtunnel
+      dependencies:
+      - description: 'Download devtunnel
+
+          '
+        prereq_command: 'test -f #{binary_path}
+
+          '
+        get_prereq_command: |
+          mkdir -p $(dirname #{binary_path})
+          curl -L "#{download_url}" -o "#{binary_path}"
+          chmod +x #{binary_path}
+      - description: 'Login to Microsoft Dev tunnels
+
+          '
+        prereq_command: '#{binary_path} user show | grep -q "Not logged in" && exit
+          1 || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to devtunnel using the following command:
+          #{binary_path} user login"
+
+          '
+      executor:
+        command: "#{binary_path} host -p #{port} &\n"
+        cleanup_command: |
+          pkill -9 $(basename "#{binary_path}")
+          #{binary_path} user logout
+          rm #{binary_path}
+        name: bash
  T1071.003:
    technique:
      modified: '2024-04-16T12:28:59.928Z'
@@ -41890,7 +41890,61 @@ command-and-control:
      - 'Network Traffic: Network Connection Creation'
      x_mitre_is_subtechnique: false
      identifier: T1572
-    atomic_tests: []
+    atomic_tests:
+    - name: Microsoft Dev tunnels (Linux/macOS)
+      auto_generated_guid: 9f94a112-1ce2-464d-a63b-83c1f465f801
+      description: |
+        Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.
+
+        This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.
+        Reference:
+        - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview)
+        - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        port:
+          description: port number for tunnel
+          type: integer
+          default: 8080
+        download_url:
+          description: link to download devtunnel
+          type: string
+          default: https://aka.ms/TunnelsCliDownload/linux-x64
+        binary_path:
+          description: path to download devtunnel
+          type: string
+          default: PathToAtomicsFolder/../ExternalPayloads/devtunnel
+      dependencies:
+      - description: 'Download devtunnel
+
+          '
+        prereq_command: 'test -f #{binary_path}
+
+          '
+        get_prereq_command: |
+          mkdir -p $(dirname #{binary_path})
+          curl -L "#{download_url}" -o "#{binary_path}"
+          chmod +x #{binary_path}
+      - description: 'Login to Microsoft Dev tunnels
+
+          '
+        prereq_command: '#{binary_path} user show | grep -q "Not logged in" && exit
+          1 || exit 0
+
+          '
+        get_prereq_command: 'echo "Login to devtunnel using the following command:
+          #{binary_path} user login"
+
+          '
+      executor:
+        command: "#{binary_path} host -p #{port} &\n"
+        cleanup_command: |
+          pkill -9 $(basename "#{binary_path}")
+          #{binary_path} user logout
+          rm #{binary_path}
+        name: bash
  T1071.003:
    technique:
      modified: '2024-04-16T12:28:59.928Z'
@@ -22,6 +22,8 @@ Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/tech

 - [Atomic Test #4 - run ngrok](#atomic-test-4---run-ngrok)

+- [Atomic Test #5 - Microsoft Dev tunnels (Linux/macOS)](#atomic-test-5---microsoft-dev-tunnels-linuxmacos)
+

 <br/>

@@ -199,4 +201,73 @@ Expand-Archive C:\Users\Public\ngrok\ngrok-v3-stable-windows-amd64.zip -Destinat



+<br/>
+<br/>
+
+## Atomic Test #5 - Microsoft Dev tunnels (Linux/macOS)
+Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.
+
+This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc.
+Reference:
+- [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview)
+- [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 9f94a112-1ce2-464d-a63b-83c1f465f801
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| port | port number for tunnel | integer | 8080|
+| download_url | link to download devtunnel | string | https://aka.ms/TunnelsCliDownload/linux-x64|
+| binary_path | path to download devtunnel | string | PathToAtomicsFolder/../ExternalPayloads/devtunnel|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+#{binary_path} host -p #{port} &
+```
+
+#### Cleanup Commands:
+```bash
+pkill -9 $(basename "#{binary_path}")
+#{binary_path} user logout
+rm #{binary_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Download devtunnel
+##### Check Prereq Commands:
+```bash
+test -f #{binary_path}
+```
+##### Get Prereq Commands:
+```bash
+mkdir -p $(dirname #{binary_path})
+curl -L "#{download_url}" -o "#{binary_path}"
+chmod +x #{binary_path}
+```
+##### Description: Login to Microsoft Dev tunnels
+##### Check Prereq Commands:
+```bash
+#{binary_path} user show | grep -q "Not logged in" && exit 1 || exit 0
+```
+##### Get Prereq Commands:
+```bash
+echo "Login to devtunnel using the following command: #{binary_path} user login"
+```
+
+
+
+
 <br/>
@@ -148,7 +148,7 @@ atomic_tests:
    name: powershell
    elevation_required: true
 - name: Microsoft Dev tunnels (Linux/macOS)
-  auto_generated_guid: 
+  auto_generated_guid: 9f94a112-1ce2-464d-a63b-83c1f465f801
  description: |
    Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels.

@@ -1740,3 +1740,4 @@ a4b74723-5cee-4300-91c3-5e34166909b4
 8e139e1f-1f3a-4be7-901d-afae9738c064
 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75
 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
+9f94a112-1ce2-464d-a63b-83c1f465f801