Generated docs from job=generate-docs branch=master [ci skip]

2025-01-17 22:15:28 +00:00
parent fd82e0ad35
commit 75fa21076d
24 changed files with 233 additions and 8 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1703-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1704-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
@@ -46,3 +46,4 @@ collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Acces
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
+execution,T1651,Cloud Administration Command,1,AWS Run Command (and Control),a3cc9c95-c160-4b86-af6f-84fba87bfd30,powershell
@@ -1069,6 +1069,7 @@ execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,S
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,6,Command prompt writing script to file then executes it,00682c9f-7df4-4df8-950b-6dcaaa3ad9af,command_prompt
+execution,T1651,Cloud Administration Command,1,AWS Run Command (and Control),a3cc9c95-c160-4b86-af6f-84fba87bfd30,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
@@ -1419,7 +1419,8 @@
  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
  - Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
  - Atomic Test #6: Command prompt writing script to file then executes it [windows]
- T1651 Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1651 Cloud Administration Command](../../T1651/T1651.md)
+  - Atomic Test #1: AWS Run Command (and Control) [iaas:aws]
 - [T1059.005 Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md)
  - Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
  - Atomic Test #2: Encoded VBS code execution [windows]
@@ -33,7 +33,7 @@
 |  | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [Log Enumeration](../../T1654/T1654.md) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
 |  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  | Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Cloud Administration Command](../../T1651/T1651.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
@@ -27527,6 +27527,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -27315,6 +27315,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -26901,6 +26901,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -26785,6 +26785,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -27222,7 +27222,72 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1651
+    atomic_tests:
+    - name: AWS Run Command (and Control)
+      auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30
+      description: 'This test simulates an adversary using the AWS Run Command service
+        to execute commands on EC2 instances.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        region:
+          description: AWS region to deploy the EC2 instance
+          type: string
+          default: us-east-2
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      - description: 'Terraform must be installed.
+
+          '
+        prereq_command: 'terraform --version
+
+          '
+        get_prereq_command: 'Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $region = "#{region}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+          Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+          Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+          Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+          Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+        name: powershell
  T1059.005:
    technique:
      modified: '2024-10-15T16:43:27.104Z'
@@ -27192,6 +27192,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -27134,6 +27134,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -57160,7 +57160,72 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1651
+    atomic_tests:
+    - name: AWS Run Command (and Control)
+      auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30
+      description: 'This test simulates an adversary using the AWS Run Command service
+        to execute commands on EC2 instances.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        region:
+          description: AWS region to deploy the EC2 instance
+          type: string
+          default: us-east-2
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      - description: 'Terraform must be installed.
+
+          '
+        prereq_command: 'terraform --version
+
+          '
+        get_prereq_command: 'Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $region = "#{region}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+          Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+          Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+          Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+          Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+        name: powershell
  T1059.005:
    technique:
      modified: '2024-10-15T16:43:27.104Z'
@@ -32738,6 +32738,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -30231,6 +30231,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -26966,6 +26966,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -26785,6 +26785,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -47188,6 +47188,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1651
    atomic_tests: []
  T1059.005:
    technique:
@@ -0,0 +1,79 @@
+# T1651 - Cloud Administration Command
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1651)
+<blockquote>Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
+
+If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AWS Run Command (and Control)](#atomic-test-1---aws-run-command-and-control)
+
+
+<br/>
+
+## Atomic Test #1 - AWS Run Command (and Control)
+This test simulates an adversary using the AWS Run Command service to execute commands on EC2 instances.
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** a3cc9c95-c160-4b86-af6f-84fba87bfd30
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| access_key | AWS Access Key | string | |
+| secret_key | AWS Secret Key | string | |
+| session_token | AWS Session Token | string | |
+| profile | AWS profile | string | |
+| region | AWS region to deploy the EC2 instance | string | us-east-2|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
+$access_key = "#{access_key}"
+$secret_key = "#{secret_key}"
+$session_token = "#{session_token}"
+$aws_profile = "#{profile}"
+$region = "#{region}"
+Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
+Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
+Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AWS PowerShell module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AWSPowerShell -Force
+```
+##### Description: Terraform must be installed.
+##### Check Prereq Commands:
+```powershell
+terraform --version
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
+```
+
+
+
+
+<br/>
@@ -2,6 +2,7 @@ attack_technique: T1651
 display_name: Cloud Administration Command
 atomic_tests:
 - name: AWS Run Command (and Control)
+  auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30
  description: |
    This test simulates an adversary using the AWS Run Command service to execute commands on EC2 instances.
  supported_platforms:
@@ -1727,3 +1727,4 @@ de47f4a0-2acb-416d-9a6b-cee584a4c4d1
 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
 89a83c3e-0b39-4c80-99f5-c2aa084098bd
 b647f4ee-88de-40ac-9419-f17fac9489a7
+a3cc9c95-c160-4b86-af6f-84fba87bfd30